The Payment Card Industry Data Security Standard (PCI DSS) is a set of data security standards that any organization that processes, stores, or transmits payment cards must comply with.
The organization that administers the PCI DSS is the Payment Card Industry Security Standard Council (PCI SSC), which is led by representatives from all of the major payment card brands—American Express, Discover, JCB International, MasterCard, and Visa. The PCI SSC periodically releases new versions of the PCI DSS—the latest version, as of the publication of this article, is PCI DSS 3.2, released in April 2016.
If a business fails to comply with PCI DSS, the payment card brands and their banking partners can penalize it by increasing its payment card processing fees, by taking away its ability to accept credit or debit cards as payment, or by imposing fines of more than $100,000.
PCI DSS is organized into six different “goals,” each of which is made up of between one and three high-level security requirements. There are 12 different high-level security requirements overall, and each of these requirements is made up of numerous sub-requirements.
Let’s go through these 12 high-level security requirements one-by-one, so you can get a general idea of what is required by PCI DSS without having to go through the full 139 page document, or even the 34 page Quick Reference Guide, which some may find too long or complicated.
Goal #1: Build and Maintain a Secure Network
Requirement #1: Install and maintain a firewall and router configuration to protect cardholder data
PCI DSS requires you to set up your private networks on which you process, store, or transmit payment card data so that only authorized users can access them. The main way to do this is to implement a firewall, or multiple firewalls, that restricts access to the “cardholder data environment” (CDE) to only authorized protocols and devices, and blocks everything else by default. PCI DSS also requires any device outside of the CDE that accesses the CDE to also be protected with a properly-configured firewall.
Requirement #2: Do not use vendor-supplied defaults for system passwords and other security parameters
Some IT hardware and software products, when you first install them or set them up, require you to create an administrative user account and/or set a password before you do anything else. Other IT products already come with a default user account and user password on them (usually something like “admin” and “password”). Routers are a common example of the latter.
PCI DSS requires you to change these default usernames and passwords to something else, since all a person would have to do to access your hardware or software would be to look up the vendor- or manufacturer-supplied default username and password of the product (information that can usually be found somewhere on the Internet).
PCI DSS also requires you to change any insecure default settings aside from usernames and passwords on any of the hardware or software in your CDE.
Goal #2: Protect Cardholder Data
Requirement #3: Protect stored cardholder data
PCI DSS requires you to limit your storage of payment card data to only what is necessary for “business, legal, and/or regulatory purposes.” It allows you to store the payment card’s Primary Account Number (i.e., the payment card number), though only if you encrypt it. It also allows you to store the cardholder’s name and the payment card’s expiration date and service code unencrypted. It prohibits you (unless you’re an issuing bank or “related entity”) from storing any payment card authentication data in any form, including the cardholder’s PIN, the card’s security code, and the data from the card’s magnetic stripe or chip. You’re required to clear your systems of any unneeded payment card data (such as the payment card data of ex-customers) every four months.
Requirement #4: Encrypt transmission of cardholder data across open, public networks
PCI DSS requires you to use a secure, encrypted protocol such as SSL when transmitting any payment card data over an open, public network. The most common reason that a business would transmit payment card data this way would be in order to complete a sale by transmitting a customer’s payment card data to its acquiring bank via the Internet. If this is the reason you’re sending payment card data this way, you’ll want to ensure that your PoS or e-commerce system uses an encrypted protocol to transmit payment card data for processing.
We’ll summarize PCI DSS requirements five through nine in the second part of this article.