|Knowledge base contents are continuously uploaded, therefore it is worthwhile to visit our page regularly!
What is the Payment Card Industry Data Security Standard (PCI DSS)?
The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. Initially created by aligning Visa's Account Information Security (AIS)/Cardholder Information Security (CISP) programs with MasterCard's Site Data Protection (SDP) program, the standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents.
Why comply with the PCI DSS?
- Trust means your customers have confidence in doing business with you
- Confident customers are more likely to be repeat customers, and to recommend you to others
- Compliance improves your reputation with acquirers and payment brands
- Compliance is an ongoing process, not a one-time event. It helps prevent security breaches and theft of payment card data, not just today, but in the future:
- Through your efforts to comply with PCI Security Standards, you’ll likely be better prepared to comply with other regulations as they come along, such as HIPAA, SOX, etc.
- You’ll have a basis for a corporate security strategy
- You will likely identify ways to improve the efficiency of your IT infrastructure
What are the consequences if I do not comply with the PCI DSS?
- Compromised data negatively affects consumers, merchants, and financial institutions
- Just one incident can severely damage your reputation and your ability to conduct business effectively, far into the future
- Account data breaches can lead to catastrophic loss of sales, relationships and standing in your community, and depressed share price if yours is a public company
- Lawsuits, insurance claims
- Cancelled accounts
- Payment card issuer fines, Government fines
What are the fines and penalties assessed to companies for non-compliance with the PCI DSS?
Any fines and/or penalties associated with non-compliance with the PCI DSS and/or confirmed security breaches are defined by each of the payment card brands.
How do I determine whether my business would be required to do a full independent assessment (QSA) or a self-assessment (SAQ)?
Merchants that store payment account data should contact the acquiring financial institutions with whom they have merchant agreements to determine whether they must validate compliance and the specific requirements for compliance validation. Service providers should contact the individual payment brands for further information.
What is the definition of merchant"?
For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.
For ASV scans, what is meant by quarterly?
The intent of the quarterly scans as prescribed in Requirement 11.2 of the PCI DSS is to have them conducted as close to three months or 90 days apart as possible, so as to minimize the risk and identify vulnerabilities more quickly. For example, if five months elapse between scans (i.e. one done is January and the next done in June), that would not meet the intent of this requirement. In order to meet this requirement, an entity is required to complete their ASV scans, and perform any required remediation, each quarter.
How do I reduce the scope of a PCI DSS assessment?
Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of an entity’s network is strongly recommended as a method that may reduce the scope of a PCI DSS assessment. At a high level, adequate network segmentation isolates systems that store, process, or transmit cardholder data from those that do not. Network segmentation can be achieved through a number of physical or logical means, such as properly configured internal network firewalls, routers with strong access control lists, or other technologies that restrict access to a particular segment of a network.
An important prerequisite to reduce the scope of the cardholder data environment is a clear understanding of business needs and processes related to the storage, processing or transmission of cardholder data. Restricting cardholder data to as few locations as possible by elimination of unnecessary data, and consolidation of necessary data, may require reengineering of long-standing business practices.
Documenting cardholder data flows via a dataflow diagram helps fully understand all cardholder data flows and ensures that any network segmentation is effective at isolating the cardholder data environment.
The adequacy of a specific implementation of network segmentation is highly variable and dependent upon a number of factors, such as a given network's configuration, the technologies deployed, and other controls that may be implemented. You should be validating the scope of your cardholder data environment as part of your annual PCI DSS assessment process, including validation of any network segmentation.