PCI compliance, or Payment Card Industry compliance, refers to the adherence to a set of policies and procedures developed to protect credit, debit, and cash card transactions and prevent the misuse of cardholders’ personal information. All major card brands, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, require compliance with the Payment Card Industry Data Security Standard (PCI DSS). The PCI Security Standards Council (PCI SSC) is responsible for developing and managing these standards.
The purpose of PCI compliance is to ensure the security of all aspects of the credit card ecosystem, including wireless hotspots, e-commerce applications, point of sale systems, mobile devices, computers, servers, and even paper records. It aims to protect cardholder data from data breaches as it moves across the network and is transmitted to and from service providers. Compliance with PCI DSS involves meeting 12 requirements, which cover various aspects of security, such as firewalls, encryption, antivirus software, network monitoring, and access controls.
To meet PCI DSS requirements, organizations must install and maintain a proper firewall configuration to protect cardholder data. This includes using strong passwords and access controls, as well as conducting regular testing when configurations change. Additionally, they must not use vendor-supplied defaults for system passwords and security parameters. Any default passwords must be replaced with strong passwords before a new device can connect to cardholder data online.
Another requirement is to protect stored cardholder data by keeping it only as long as necessary and purging unneeded data at least once a quarter. It is also essential to encrypt the transmission of cardholder data across open, public networks. This includes the use of strong cryptography when sensitive data is transmitted over the internet, cellular networks, satellite communications, and wireless technologies.
Regularly updating antivirus software is another crucial requirement for PCI compliance. Organizations must use strong, regularly updated antivirus and antimalware software to protect all systems that may come into contact with cardholder data. It is also important to develop and maintain secure systems and applications. This involves updating and installing relevant patches for critical systems promptly and identifying and addressing security vulnerabilities.
Access to cardholder data must be restricted based on the principle of least privilege. This means that access should only be granted to individuals who need it based on their responsibilities. Each person with computer access should have a unique ID that corresponds to their data access rights. Physical access to cardholder data should also be carefully managed, and only approved personnel should have access to devices that hold cardholder data or paper copies of that data.
Tracking and monitoring all access to network resources and cardholder data is critical for PCI compliance. Organizations must be able to monitor and track network access to understand how a security breach occurred and defend against future attacks. Regularly testing security systems and processes, maintaining an information security policy, and conducting annual risk assessments are also essential for achieving and maintaining PCI compliance.
Cardholder data refers to any personally identifiable information associated with a person who has a credit or debit card. This includes the primary account number, credit card number, name, card expiration date, and service code. PCI compliance requires merchants to regularly purge their data of cardholder information that is not necessary for day-to-day functioning.
Since its development in 2006, there have been four full versions of PCI DSS. These versions have included updates and adjustments to the requirements to ensure stronger security measures. The most recent version, PCI DSS 4.0, was released in March 2022 and includes updates to multifactor authentication, password requirements, and new phishing and e-commerce standards.
In 2013, the PCI SSC published the “PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users” to educate merchants on the risks associated with credit card data transferred via mobile devices. These guidelines provided recommendations on securing mobile devices used for payment acceptance and securing payment acceptance system hardware and software. The PCI SSC also emphasized the use of PCI-validated point-to-point encryption as the best option for merchants until mobile hardware and software implementations could meet the guidelines.
Overall, PCI compliance is crucial for protecting cardholder data and ensuring the security of credit, debit, and cash card transactions. By adhering to the 12 requirements of PCI DSS and keeping up with the evolving standards, organizations can minimize the risk of data breaches and maintain the trust of their customers.