PCI DSS (Payment Card Industry Data Security Standard)What's on this page?View our PCI DSS books tools and training >>
What is the PCI DSS?
The Payment Card Industry Data Security Standard (‘PCI DSS’) is a framework set out for organisations that store, transmit or process cardholder data, designed to help keep that information secure.
The PCI DSS requires that merchants and service providers:
- Build and maintain a secure IT network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
The PCI DSS applies to any type of media on which card data can be stored, including items such as back-up media, data on the Cloud, USB storage devices, hard drives, receipts and printed card information.
In addition, organisations holding electronic or paper records containing the full card number must store the information securely according to the Standard’s requirements.
The PCI Data Security Standard combines twelve requirements and their corresponding testing procedures.
Why should I comply with the PCI DSS?
If an organisation fails to comply with the requirements of the Standard they are liable to receive fines from their acquiring bank. The size of fines varies by brand, but broadly they fall into two groups:
- Non-compliance fines - these are ongoing fines that your bank can levy if you are not in compliance with the PCI DSS.
- Data breach fines - these are (generally) one-off fines that are issued in the event of a data breach.
Failure to comply can lead to other penalties, including:
- Costly forensic investigations and audits.
- Increased fines in the case of further non-compliance/breaches.
- Withdrawal of payment card services.
- Reputation damage with your customers
- Loss of business.
How to comply with the PCI DSS
Self-assessment Questionnaires (SAQ)
Compliance with the PCI DSS must be demonstrated through either a self-assessment questionnaire (SAQ), or a Report on Compliance (ROC). Criteria for whether either an ROC or SAQ is required are defined by the applicable payment brand, and depend on various factors, such as annual transaction volume and type of transactions.
|Merchants/Service providers ||Annual on-site audit ||Self-assessment questionnaire (SAQ) ||Quarterly* external vulnerability scan ||Quarterly* internal vulnerability scan ||Annual** penetration test ||Quarterly WLAN analysis |
|ROC || || || || || || |
|SAQ D for Merchants || || || || || || |
|SAQ D for Service Providers || || || || || || |
|SAQ C || || || || ||# || |
|SAQ C-VT || || || || || || |
|SAQ P2PE-HW || || || || || || |
|SAQ B-IP || || || || || || |
|SAQ B || || || || || || |
|SAQ A-EP || || || || ||+ || |
|SAQ A || || || || || || |
* Or after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
** Or after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, a webserver added to the environment).
# Only required for testing network segmentation if any is present.
+ Only external penetration test required.
Getting started with the PCI DSS
Achieving compliance with the PCI DSS can be challenging and demanding. The time taken to achieve compliance will depend upon your current information security arrangements. Your compliance project could be greatly accelerated with the use of our PCI DSS documentation toolkit, which provides a set of pre-written, customisable templates, processes, policies and procedures that can be applied to meet the requirements of PCI DSS v3.1.
Gossary of key PCI DSS terms
- PCI DSS: Payment Card Industry Data Security Standard
- PCI SCC: Payment Card Industry Security Standards Council – the group that develops the Standard.
- PCI QSA: Qualified security assessors –organisations that have been qualified by the PCI SSC to have their employees assess compliance to the PCI DSS.
- PCI SAQ: Self-assessment questionnaires –tools for merchants to use to self-evaluate their compliance with the PCI DSS.
- PCI ASV: Approved scanning vendor –organisations that are approved by the PCI SCC to perform vulnerability scans of merchants’ and service providers’ systems.
- Merchant: In the context of PCI DSS, a merchant is any entity that accepts payment cards bearing the logos of any of the five members of PCI SCC (Visa, MasterCard, JCB, American Express or Discover).
- Acquiring bank: The organisation that provides a merchant with their payment card systems.
- Payment brands: The companies that provide the payment cards (Visa, MasterCard, JCB, American Express or Discover).
- Service provider: An organisation involved in the processing, storage or transmission of payment card information that is not a payment brand or a merchant.
PCI DSS resources
IT Governance has sourced and created a unique collection of titles dedicated to the PCI DSS. Our books offer concise and practical advice for anyone seeking PCI DSS compliance.
PCI DSS: A Pocket Guide, Second edition
This pocket guide is a short and concise introduction to the Standard, containing only the key information you need to know.
PCI DSS documentation toolkit,
Created by an official PCI QSA, this PCI DSS toolkit is specifically designed to assist payment card-accepting organisations (merchants) to become compliant with the Payment Card Industry Data Security Standard.
Security Testing Handbook for Banking Applications
This specialist book is intended as a companion to security professionals, software developers and QA professionals who work with banking applications.
For more information on other related areas surrounding the PCI DSS and compliance, please see the relevant topic page:
IT Governance >>
Information Security >>View our PCI DSS books tools and training >>