PCI DSS (Payment Card Industry – Data Security Standard) overview

PCI-DSS : Payment Card Industry Data Security Standard The full form of PCI-DSS is ‘Payment Card Industry Data Security Standard‘. PCI which is widely accepted set of policies and procedures intended to optimize the security of Card ( i.e. credit card, debit card, cash card etc) transactions and protect cardholders data against misuse of their personal information. PCI-DSS is governed by PCI council and PCI DSS was created in 2004 jointly by five major credit-card companies: Visa, MasterCard, Discover, JCB and American Express.

PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data. It consists of common sense steps that mirror security best practices.

1. Overview of PCI-DSS

PCI-DSS is governed by PCI-SSC (Payment Card Industry Security Standards Council). Its founded in 2004 by VISA, MasterCard, Amex, Discover and JCB.

2. What is PCI SSC ?

PCI SSC ( Payment Card Industry Security Standard Council) is a independent industry standard body providing oversight of the development and management of payment card industry data security standard on global basis.

Following are the card brand which founded the PCI SSC to ease the security for all card brand:

  1. American Express
  2. Discovery financial
  3. JCB international
  4. MasterCard
  5. Visa

3. History of PCI-DSS

Prior to PCI-DSS, every card companies (visa, master, amex, jcb etc) have their own set of policies regarding payment card security for achieving same set of objectives. Maintaining of these processes are very hectic for different perspective like audit by different online payment companies or payment service provider. Why this process is hectic? Just because, more or less same set of policies maintained by all card holders and same set of policies maintained by payment service providers too in order to fulfillment requirement of card security.

Five different programs had been started by payment card companies to achieve same set of protection of Card data and its security. The five different program as follows:

  1. Visa’s Cardholder Information Security Program
  2. MasterCard’s Site Data Protection
  3. American Express’s Data Security Operating Policy
  4. Discover’s Information Security and Compliance
  5. JCB’s Data Security Program

4. Why PCI-DSS required?

The PCI DSS applies to any entity that stores, process , or transmit payment card account data. In another word, I can say that, PCI DSS applies to any organisation, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.

5. 6 Goals of PCI-DSS

PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data. It consists of common sense steps that mirror security best practices.
The following are the six Goals of PCI-DSS.

  1. Build and Maintain a Secure Network
  2. Protect Cardholder Data
  3. Maintain a Vulnerability Management Program
  4. Implement Strong Access Control Measures
  5. Regularly Monitor and Test Networks
  6. Maintain an Information Security Policy

6. Mapping of 6 Goals with 12 Requirements of PCI-DSS

Goal #1: Build and Maintain a Secure Network
Requirement #1: Install and maintain a firewall configuration to protect cardholder data
Requirement #2: Do not use vendor-supplied defaults for system passwords and other security parameters

Goal #2: Protect Cardholder Data
Requirement #3: Protect stored cardholder data
Requirement #4: Encrypt transmission of cardholder data across open, public networks

Goal #3: Maintain a Vulnerability Management Program
Requirement #5: Use and regularly update anti-virus software or programs
Requirement #6: Develop and maintain secure systems and applications

Goal #4: Implement Strong Access Control Measures
Requirement #7: Restrict access to cardholder data by business need to know
Requirement #8: Assign a unique ID to each person with computer access
Requirement #9: Restrict physical access to cardholder data

Goal #5: Regularly Monitor and Test Networks
Requirement #10: Track and monitor all access to network resources and cardholder data
Requirement #11: Regularly test security systems and processes

Goal #6: Maintain an Information Security Policy
Requirement #12: Maintain a policy that addresses information security for all personnel

7. Different Components of PCI DSS

PA-DSS: The standard for validating off-the-shelf payment applications used in authorization and settlement.
Mechanisms using PA-DSS validated payment applications are NOT automatically PCI DSS compliant.

P2PE standard covers: Encryption, decryption, and key management requirement for point-to-point encryption solutions.

Service Provider: A company that controls or could impact the security of another entity’s cardholder data.

Use of a Qualified Integrator/Re-seller (QIR): Is a good step towards PCI DSS compliance

8. Quiz

Which of following entities will ultimately approve a purchase?
a. Issuer
b. Acquirer
c. Merchant
d. Payment Transaction Gateway

Ans: Issuer

Which step does the payment brand network provide to complete reconciliation to the merchant’s bank
a. Settlement
b. Approval
c. Authorization
d. Clearing

Ans: Clearing

9. References

Happy learning, keep growing and keep sharing valuable information 🙂

23 thoughts on “PCI DSS (Payment Card Industry – Data Security Standard) overview

  1. Hi there it’s me, I am also visiting this web page daily, this
    website is truly fastidious and the users are really sharing good thoughts.

  2. Thank you for the good writeup. It in fact was a amusement
    account it. Look advanced to more added agreeable from you!

  3. Howdy! I could have sworn I’ve been to this website before but after reading through some of the post I realized it’s new to me.
    Anyhow, I’m definitely happy I found it and
    I’ll be book-marking and checking back frequently!

  4. Hmm it appears like your website ate my first comment (it was extremely long) so I
    guess I’ll just sum it up what I wrote and say, I’m thoroughly enjoying your blog.
    I as well am an aspiring blog blogger but I’m still new to everything.
    I’d really appreciate it.

  5. Write more, thats all I have to say. Literally, it seems as though you relied on the video to make your point.
    You clearly know what youre talking about, why throw away your intelligence on just posting videos to your site when you could
    be giving us something enlightening to read?

  6. Woah! I’m really enjoying the template/theme of this site.
    It’s simple, yet effective. A lot of times it’s difficult to get that “perfect balance” between superb usability and visual appearance.
    I must say you have done a fantastic job with this.
    In addition, the blog loads extremely fast for me on Internet explorer.
    Excellent Blog!

  7. We’re a group of volunteers and starting a brand new scheme in our community.
    Your web site offered us with valuable information to work on. You’ve done
    a formidable task and our whole neighborhood shall be thankful to you.

  8. Excellent post. I used to be checking continuously this blog and I am impressed!
    Extremely useful info specifically the last phase 🙂 I take care
    of such information much. I used to be looking for
    this particular information for a long time. Thank you
    and best of luck.

  9. Hmm it appears like your website ate my first comment (it was super
    long) so I guess I’ll just sum it up what I had written and say, I’m thoroughly enjoying your blog.
    I as well am an aspiring blog blogger but I’m still new
    to the whole thing. Do you have any tips and hints for newbie blog writers?

    I’d genuinely appreciate it.

  10. I really like your blog.. very nice colors & theme.
    Did you make this website yourself or did you hire someone to do it for you?
    Plz answer back as I’m looking to create my own blog
    and would like to find out where u got this from.
    appreciate it

  11. Good post however , I was wondering if you could write a little more on this topic
    I’d be very grateful if you could elaborate a little bit more.
    Many thanks!

  12. Hi, i read your blog occasionally and i own a similar one and i was just
    curious if you write more details about PCI-DSS

Leave a Reply

Your email address will not be published. Required fields are marked *