background

PCI DSS

Payment card industry Data Security Standard (PCI DSS) is a set of security standards intended to ensure that all companies that process, store, transmit, or impact the security of cardholder data maintain a secure environment.

What is PCI DSS?

Payment card industry Data Security Standard (PCI DSS) is a set of security standards intended to ensure that all companies that process, store, transmit, or impact the security of cardholder data maintain a secure environment.

It was launched on September 7, 2006 to manage PCI security standards and improve account security throughout the transaction process. The PCI DSS is administered and managed by the PCI Security Standards Council, an independent body that was created by major payment card brands such as Visa, MasterCard, American Express, Discovery and JCB. The payment brands and acquirers are responsible for enforcing PCI compliance. 

PCI 4.0 is the latest major iteration of the payment card industry standard and implements significant changes in requirements, focusing more on maintaining continuous security as well as adding new methods to meet requirements. PCI DSS v4.0.1 is a limited revision to PCI DSS v4.0 that addresses stakeholder feedback and questions that have been received since v4.0 was published in March 2022. This revision demonstrates the continuous effort to encourage and enhance payment account data security and facilitate the broad adoption of consistent data security measures globally. 

The 12 requirements for PCI DSS 4.0 compliance are:

  1. Install and maintain network security controls
  2. Apply secure configurations to all system components
  3. Protect stored account data
  4. Protect cardholder data with strong cryptography during transmission over open, public networks
  5. Protect all systems and networks from malicious software
  6. Develop and maintain secure systems and software
  7. Restrict access to system components and cardholder data by business need to know
  8. Identify users and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Log and monitor all access to system components and cardholder data
  11. Test security of systems and networks regularly
  12. Support information security with organizational policies and programs

Non-compliance can lead to fines, legal penalties, loss of business and loss of reputation. PCI aims to increase security for customers by creating a standard set of guidelines that any company that accepts, stores, or transmits credit card information, regardless of number of transactions or size of transactions, must comply with to do business.