PCI Data Security Standard Compliance
The Payment Card Industry (PCI) Data Security Standard (DSS) is a set of requirements for security management, policies, procedures, network architecture, software design and other protective measures. The standard is intended to help organizations proactively protect customer account data. PCI DSS was developed by the PCI Security Standards Council, whose members include American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc.
Listed below are PCI Data Security Standard’s 12 basic requirements, built around a core group of principles:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data. All systems must be protected from unauthorized access from the internet, whether entering the system as e-commerce, employees’ internet-based access through desktop browsers, or employees’ email access.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. These passwords and settings are well known in hacker communities and easily determined via public information.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data. Encryption is a critical component of cardholder data protection. Also, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full personal account number is not needed and not sending it in unencrypted e-mails.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software. Anti-virus software must be used and regularly updated on all systems commonly affected by viruses to protect systems from malicious software.
Requirement 6: Develop and maintain secure systems and applications. Many security vulnerabilities are fixed by vendor-provided security patches. All systems must have the most recently released, appropriate software patches.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access. This requirement ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.
Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data. Determining the cause of a compromise is very difficult without system activity logs.
Requirement 11: Regularly test security systems and processes.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security. All employees should be aware of the sensitivity of data and their responsibilities for protecting it.
Who must comply with PCI DSS? PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. All merchants must comply with this standard and periodically review their compliance. Failing to do so can result in significant fines and, potentially, in cancellation of their merchant accounts.
What data can you store? The following table shows what data can and cannot be stored:
Data Type | Data Element | Storage Permitted | Protection Required |
Cardholder data | Primary account number (PAN) | Yes | Yes |
Cardholder name* | Yes | Yes | |
Service code* | Yes | Yes | |
Expiration date* | Yes | Yes | |
Sensitive authentication data** | Full magnetic stripe | No | n / a |
Card Verification Code | No | n / a | |
PIN / PIN block | No | n / a |
* These data elements must be protected if stored in conjunction with the PAN. This protection must be consistent with PCI DSS requirements for general protection of the cardholder environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of these data or proper disclosure of a company’s practices if consumer-related personal data is being collected during the course of business. PCI DSS; however, does not apply if PANs are not stored, processed, or transmitted.
**Sensitive authentication data must not be stored subsequent to authorization (even if encrypted).
Merchant level definitions for PCI certification.
Merchant Level |
Definition |
Level 1 | Level 1 are merchants processing over 6 million Visa or MasterCard transactions per year. |
Level 2 | Level 2 are merchants processing from 150,000 to 6 million Visa or MasterCard transactions per year. |
Level 3 | Level 3 are merchants processing from 20,000 to150,000 Visa or MasterCard transactions per year. |
Level 4 | Level 4 are all merchants not included in Levels 1, 2 or 3. |
PCI certification requirements by merchant level.
Merchant Level | Annual On-Site Review | Annual Self-Assessment | Quarterly Security Scans |
Level 1 | Required by a certified 3rd party. | n / a | Required by a certified 3rd party for external IP addresses.* |
Level 2 | n / a | Required to complete questionnaire.** | Required by a certified 3rd party for external IP addresses.* |
Level 3 | n / a | Required to complete questionnaire.** | Required by a certified 3rd party for external IP addresses.* |
Level 4 | n / a | Recommended annually. | Recommended annually. |
*Internet accessible.
**PCI self-assessment questionnaire.
Image credit: Ascentor.co.uk.