The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for businesses that handle branded credit cards from the major card schemes such as MasterCard, Visa and American Express.
The PCI DSS is required by those handling cardholder data, whether you are a start-up or a global enterprise. The compliance framework is an industry- mandated set of standards, with the intention to keep consumer card data safe while it’s being used by the service providers.
PCI DSS Framework
The PCI DSS compliance framework applies to all businesses that store, process or transmit cardholder data. Each PCI member has their own compliance program to protect their cardholder’s data.
There are six primary requirements for correct compliance within the PCI DSS framework:
- Build and maintain a secure network
- A firewall configuration must be installed to help protect sensitive cardholder data
- Creation of a unique password to maximise system security
- Protect cardholder data
- Cardholder data that is kept in storage must be protected from unauthorized alteration
- Data should be encrypted when transmitting to open networks, to avoid third parties
- Maintain a vulnerability management program
- Anti-virus software must be used
- All systems and applications that are being used to process information must be made secure
- Implement strong access control measures
- Access to cardholder information should be completely restricted
- Unique identifiers must be assigned to individuals with computer systems access
- Regularly monitor and test networks
- Access to any resource within the network must be fully monitored
- Tests should be regularly applied for all security systems
- Maintain an information security policy
- Implement a security policy for all employees and contractors
Merchant Levels
The PCI DSS contains a set of requirements to help organisations prevent payment data breaches and payment card fraud. There are four PCI merchant levels, with each level determined by the number of transactions the organisation handles each year. The levels are:
- Merchants processing more than 6 million Visa, MasterCard, or Discover transactions annually via any channel.
- Merchants processing between 1 million and 6 million Visa, MasterCard or Discover transactions per year via any channel.
- Merchants processing between 20,000 and 1 million Visa e-commerce transactions annually.
- Merchants processing less than 20,000 Visa or MasterCard e-commerce transactions annually.
Merchants in Level 1 handle the largest number of transactions, and have resource-intensive requirements which need outside validation, whereas in Level 4 the process is much simpler and less expensive.
PCI DSS Version 4.0
PCI-DSS 4.0 is the latest version of the Payment Card Industry Data Security Standard, and was released on 31st March 2022. Like all versions of PCI DSS, version 4.0 is a comprehensive set of guidelines aimed at securing systems involved in the processing, storage, and transmission of credit card data. The organization that is responsible for PCI DSS has set four objectives to guide the creation of Version 4.0:
- Ensure the standard continues to meet the security needs of the payments industry
- Add flexibility and support of additional methodologies to achieve security
- Promote security as a continuous process
- Enhance validation methods and procedures
For more information about PCI DSS v4.0, and how your organisation can comply with requirements, please contact us.
Author: Mahdi Kobeissi, Cyber Security Consultant