Hero - Beginner’s Guide to PCI DSS Compliance

Beginner’s Guide to PCI DSS Compliance

In ancient times, before social media’s pervasiveness, when chat rooms and forums ruled the Internet, the five largest credit card companies (Mastercard, Visa, American Express, Discovery, and JCB) handled their security programs independently – until the fateful year of 2005.

What is PCI DSS Compliance?

In 2005, the “Big Five” came together to consolidate their policies and form the Payment Card Industry Security Standards Council or, the PCI SSC. The PCI SSC set the standards for companies (read: anyone handling credit card data) to secure credit card data. Those standards are better known as the Payment Card Industry Data Security Standards, or PCI DSS for short.

PCI DSS is a creation of logic, order, and many, many requirements nested under twelve main requirement branches. Naturally, the image of a supercomputer or advanced robot came to mind as an analogy. It’s a tool of defense against the bad actors of fraud, security breaches, and theft.

So What Allows an Organization to Be PCI DSS Compliant?

PCI DSS is a construct with many tools designed to combat a wide variety of specific threats. The documentation associated with it, or the “manuals”, are extensive; however, there are three main guidelines that outline what merchants are responsible for doing:

  1. Customer credit card data are collected and transmitted securely.
  2. Storing data securely with tools such as encryption, security testing, and monitoring.
  3. Annual validation that the proper controls are in place and functional, enforced by audits, and requested by customers and/or partners.

What Are the 12 Requirements of PCI DSS?

As mentioned before, PCI DSS has twelve main requirements for its components. There are many sub-requirements, but they fall under the three main guidelines:

  1. Firewall configuration to protect data.
  2. Customized passwords for the interface (no vendor defaults).
  3. Protections for stored cardholder data.
  4. A method of encryption when transferring that data across systems or over public networks.
  5. Regularly updated malware and anti-virus software.
  6. Maintained and secure systems, tools and applications.
  7. Restricted access to cardholder data.
  8. Monitoring of access to the system and proper authentication.
  9. Limit physical access to cardholder data.
  10. Tracking and monitoring of all access to networks and data.
  11. Regular testing of systems, controls and processes in place.
  12. Maintaining a policy and ensuring all parties interacting with sensitive data know the rules.

Final Thoughts: What Is PCI DSS Compliance

There are also multiple levels for different types of organizations that determine what security requirements are needed for compliance. The level is determined by the size of the organization and risks posed, as well as types of tools available to that organization.

While much of this can appear overwhelming, just remember that PCI DSS is designed to be a standardized construct with a wide set of tools at its disposal to combat the various threats lurking below the waters. The key is bringing the right tool to the fight.

Click here to learn more about PCI Audits.