Ensure your website is compliant with our Cookie Consent Management Platform; PrivacyConsent Learn More!
← Back to glossary

Payment Card Industry Data Security Standard (PCI DSS)

Glossary Contents

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. It is a mandatory requirement for any business that handles payment card data and is enforced by the Payment Card Industry Security Standards Council (PCI SSC).

The PCI DSS was created to increase controls around cardholder data to reduce credit card fraud. It is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organisations proactively protect customer account data.

History of PCI DSS

The PCI DSS was first introduced in 2004 by the major credit card companies Visa, MasterCard, American Express, Discover, and JCB. Before introducing the PCI DSS, each of these companies had their own individual data security standards. The PCI DSS was an effort to unify these standards and create a single set of requirements that all businesses could follow.

Since its introduction, the PCI DSS has undergone several revisions to address emerging threats and changes in the payment card industry. The most recent version, 3.2.1, was released in May 2018. Each new version includes updates and clarifications to the existing requirements and new requirements as needed.

Impact of PCI DSS

The introduction of the PCI DSS has significantly impacted the way businesses handle payment card data. Before the introduction of the PCI DSS, many companies did not have comprehensive security measures to protect cardholder data. The PCI DSS has helped to standardise these security measures and has significantly increased the overall level of security in the payment card industry.

However, compliance with the PCI DSS can be complex and costly for many businesses. The requirements are extensive and can require significant resources to implement and maintain. Despite these challenges, compliance with the PCI DSS is not optional, and businesses that fail to comply can face severe penalties, including fines and the loss of the ability to accept credit card payments.

PCI DSS Requirements

The PCI DSS consists of 12 primary requirements grouped into six control objectives. These objectives cover areas such as the construction and maintenance of a secure network, the protection of cardholder data, the management of vulnerabilities, the implementation of strong access control measures, the regular monitoring and testing of networks, and the maintenance of an information security policy.

These requirements are further broken down into sub-requirements, which provide more specific guidance on achieving compliance. A business's exact requirements depend on its size and the volume of transactions it processes. Larger businesses and those that process a high volume of transactions are subject to more stringent requirements.

Building and Maintaining a Secure Network

The first two requirements of the PCI DSS focus on building and maintaining a secure network. This includes installing and maintaining a firewall to protect cardholder data and using custom, unique passwords rather than vendor-supplied defaults.

These requirements are designed to prevent unauthorised access to a business's network and to protect the integrity of cardholder data. They require businesses to understand their network architecture and implement robust controls to protect their network from internal and external threats.

Protecting Cardholder Data

Requirements three and four of the PCI DSS focus on protecting cardholder data. This includes protecting stored cardholder data and encrypting cardholder data transmitted across open, public networks.

These requirements are designed to ensure that cardholder data is protected at all times, both in storage and during transmission. They require businesses to implement strong encryption measures and to limit the amount of cardholder data they store to the minimum necessary to conduct business.

Assessing Compliance with PCI DSS

Compliance with the PCI DSS is assessed annually. The exact process for assessing compliance depends on the size of the business and the volume of transactions it processes. Larger companies and those that process a high volume of transactions must undergo an on-site data security assessment by a Qualified Security Assessor (QSA).

Smaller businesses and those that process a lower volume of transactions can self-assess their compliance using a Self-Assessment Questionnaire (SAQ). The SAQ is a tool designed to help businesses evaluate their compliance with the PCI DSS. It includes a series of questions covering each PCI DSS requirement.

Qualified Security Assessor (QSA)

A Qualified Security Assessor (QSA) is a professional who has been certified by the PCI SSC to conduct on-site PCI DSS assessments. QSAs are required to have a deep understanding of the PCI DSS and must be able to demonstrate their ability to assess a business's compliance with the standard.

During an on-site assessment, the QSA will review the business's security policies and procedures, inspect its network architecture, test its security systems, and interview staff to ensure that they are following the PCI DSS requirements. The QSA will then produce a Report on Compliance (ROC) that documents the business's compliance status.

Self-Assessment Questionnaire (SAQ)

The Self-Assessment Questionnaire (SAQ) is a tool that is designed to help smaller businesses assess their compliance with the PCI DSS. The SAQ includes a series of questions that cover each of the PCI DSS requirements. Businesses are required to answer each question honestly and to provide evidence of their compliance where necessary.

The SAQ is a self-assessment tool and does not provide a definitive assessment of a business's compliance with the PCI DSS. However, it can be a valuable tool for identifying areas of non-compliance and for guiding a business's efforts to achieve compliance.

Penalties for Non-Compliance

Failure to comply with the PCI DSS can result in severe penalties for businesses. These penalties can include fines, the loss of the ability to accept credit card payments, and damage to the business's reputation. The exact penalties that a company can face depend on the severity of the non-compliance and the volume of transactions it processes.

In addition to these penalties, businesses that fail to comply with the PCI DSS can also be held liable for any losses that result from a data breach. This can include the cost of reimbursing cardholders for fraudulent charges, the cost of reissuing cards, and the cost of any legal action that may be taken against the business.

Fines and Penalties

The fines for non-compliance with the PCI DSS can be substantial. The exact amount of the fine depends on the severity of the non-compliance and the volume of transactions the business processes. Fines can range from a few thousand dollars to several million dollars.

In addition to fines, businesses that fail to comply with the PCI DSS can also be subject to other penalties. These can include the loss of the ability to accept credit card payments, increased transaction fees, and the imposition of additional security requirements.

Reputational Damage

Non-compliance with the PCI DSS can also result in significant damage to a business's reputation. Customers trust businesses to protect their cardholder data, and a failure to do so can result in a loss of trust and a decrease in business.

In addition to the loss of trust, businesses that fail to comply with the PCI DSS can also face negative publicity. Data breaches are often widely reported in the media and can result in a significant loss of customer confidence.

Conclusion

The Payment Card Industry Data Security Standard (PCI DSS) is a critical component of the payment card industry's efforts to protect cardholder data. Compliance with the PCI DSS is not optional, and businesses that fail to comply can face severe penalties.

Despite the challenges associated with achieving compliance, the PCI DSS provides a clear and comprehensive framework for businesses to follow. By adhering to the PCI DSS, companies can significantly reduce their risk of a data breach and can help protect the integrity of the payment card industry.

Try PrivacyEngine
For Free

Learn the platform in less than an hour
Become a power user in less than a day

PrivacyEngine Onboarding Screen