The challenges of the PCI DSS standard

by | Oct 25, 2021 | Begginers | 0 comments

PCI DSS

The PCI DSS (Payment Card Industry Data Security Standards) was created as a result of collaboration between the world’s major payment systems players in 2006. Visa, Mastercard, JCB, Discover and American Express created a council to oversee all security standards related to the processing of credit card data.

PCI DSS schéma

Source : PCI DSS

The PCI DSS are the result of a consensus of the world’s largest card issuers who felt the need to counter online fraud. Remember that these security standards were implemented in 2006, at a time when online commerce was still lacking regulations. In line with the standards on transaction security we talked about last week, the PCI DSS standards therefore reinforce Internet transactions.

In concrete terms, every company whose business is processing cardholder data must comply with these standards. The fact that a company is “stamped” PCI DSS assures its customers that it has put in place means to protect their card data, especially for online transactions.

Unfortunately, young Fintechs are the most affected by fraud, as their detractors are well aware of the lack of resources and security of these small players compared to behemoths like VISA and Mastercard. The PCI DSS standards have therefore come to accompany them in their quest for enhanced security for their customers’ transactions.

This is ultimately the main role of this standard: to help merchants and financial institutions understand and implement appropriate security standards. With Open Banking and the constant emergence of new and innovative principles in the payment world, PCI DSS acts as a guide for any player wanting to secure the processing of their customers’ credit card transactions.

 

Note: the PCI DSS compliance obligation is defined by the card brands (Visa, MasterCard, etc.), and it is imposed differently depending on the actor, the type of activity, the type of payment or the transaction volume. 

 

 

12 / 12 points to respect to be PCI DSS compliant

 

In order to clarify the PCI DSS compliance process, the Council mentioned above has defined 12 requirements. A company wishing to achieve this compliance must therefore respect and apply these requirements.

PCI DSS 12 REQUIREMENTS

Source : OPUS Interactive

The first step cited by the Council concerns the construction and maintenance of a secure network. Two prerequisites are linked to this:

  • Install and maintain a firewall set up to protect cardholder data.
  • Do not use the default values for system passwords and other security settings.

The second step is simply to ensure that cardholder data is properly protected. There are two other prerequisites here:

  • Protect stored credit card data…
  • …by encrypting data transmission over public and open networks.

Once the network is secured and the data is stored in a safe place, the Council requires the maintenance of a Vulnerability Management Program to which two prerequisites are attached:

  • The use of an up-to-date and efficient antivirus software.
  • The development and maintenance of secure systems and applications.

The next step in PCI DSS compliance is to implement strong data access control measures. Three prerequisites are mentioned here:

  • Restrict access to commercially relevant cardholder data (excluding any unnecessary personal information).
  • Assign a unique ID to each person with access to the network.
  • Limit physical access to cardholder data.

The nine prerequisites presented above are closely related to the fundamental infrastructure that an enterprise must have in order to be standards compliant. The last three are related to the monitoring of that infrastructure:

  • Regularly monitor the network by tracking all accesses.
  • Test security systems frequently to ensure that they are working properly.
  • Maintain a policy addressing information security for employees and contractors.

These twelve prerequisites can be considered as the basic rules to be applied when a company wishes to process the credit card data of its customers. Although special cases exist, compliance with these PCI DSS standards ensures that measures have been taken to protect bank data.

Like the PSDs we mentioned in a previous article, these security standards are not fixed and will evolve in parallel with the new payment methods that appear every day. The PCI DSS standard can nevertheless be considered as one of the pillars of security related to credit card transactions, especially those online.

*https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security

Share This