All target dates for compliance with the PCI DSS have long since passed. The Standard is now on its third version, with the fourth in development with a predicted release date of Q4 2020. It is likely that v3.2.1 will be withdrawn around the end of 2021. Many organisations around the world – particularly those that fall below the top tier of payment card transaction volumes – are not yet compliant.
There are three possible reasons for this.
The first is that, outside a few US states, the PCI DSS has no legal status: it is not a law and does not have the force of law. Enforcement can only be carried out by contractual means, in a competitive payment card marketplace. The UK’s Information Commissioner, however, has said that compliance with the PCI DSS shows due diligence in protecting cardholder data, and has effectively imposed it as law through the threat of fines if non-compliant at the time of a breach.
The second is that enforcement is driven by the card payment brands, through the banks that have the commercial relationships with the merchants that are supposed to comply. While enforcement has become more rigorous over the past few years, it is still inconsistent.
The third is that the PCI DSS is extremely prescriptive, and takes a determined one-size-fits-all approach to information security requirements. Compliance is therefore seen as both expensive and bureaucratic.
As a result, many merchants have tried to avoid compliance. However, this is a short-sighted and high-risk stance to adopt – rather like assuming that your business has no exposure to acts of nature or IT failure and does not, therefore, require a business or IT service continuity plan.
All businesses that accept payment cards are prey for hackers and criminal gangs seeking to steal payment card and individual identity details. Many attacks are highly automated, seeking out website and payment card system vulnerabilities remotely, using increasingly sophisticated tools and techniques. When a vulnerability is discovered, an attack can start – with the management and staff of the target company unaware of what is going on.
Most breaches go undetected for months, and are often found by third parties, such as payment brands conducting fraud checks. When the attack is exposed, the target company faces a harsh and expensive set of repercussions. These range from customer desertion and brand damage to significant penalties and operating requirements imposed by their acquiring bank, including monitoring at a level normally applicable to only the very largest of merchants. Penalties can also include expensive forensic investigation by accredited PCI Forensic Investigators (PFIs), or being made designated entities by the payment brands or the acquirers, requiring an additional level of validation to prove compliance in the future.
The PCI DSS is designed to ensure that merchants are protecting cardholder data effectively. It recognises that not all merchants have the technical understanding to identify the necessary steps and short circuits to avoid danger. All merchants and their service providers should therefore ensure that they comply with the Standard, and that they stay compliant. If the solution cannot be found internally or through the service provider, then training and consultancy is the solution.
Above all else, if every merchant cooperates in the fight against the theft of cardholder data, we might make it easier in the long run for our payment card customers.
The PCI DSS, copies of which are freely available (although subject to licence) from the PCI Security Standards Council (PCI SSC), is, of course, the PCI SSC’s copyright. This pocket guide is not a substitute for acquiring and reading the Standard itself. Every reader of this pocket guide should obtain a copy of the PCI DSS from: www.pcisecuritystandards.org/document_library.
This pocket guide contains many references to, and summaries of, material that is freely and more comprehensively available on the PCI SSC website and elsewhere. It is intended to be a handy, comprehensive reference tool that contains in one place all the information that anyone dealing with the PCI DSS and related issues might need. It is also a pocket guide, not a comprehensive manual on implementing the Standard.
IT Governance offers dedicated PCI DSS courses at both foundation and implementation levels, allowing businesses to quickly get to grips with PCI DSS requirements.
Chapter 1: What is the Payment Card Industry Data Security Standard (PCI DSS)?
The Payment Card Industry Data Security Standard (PCI DSS) was developed by the five founding payment brands of the PCI Security Standards Council (PCI SSC, at www.pcisecuritystandards.org): American Express, Discover Financial Services, JCB International, Mastercard and Visa.
The PCI DSS consists of a standardised, industry-wide set of requirements and processes for security management, policies, procedures, network architecture, software design and critical protective measures.
The requirements of the PCI DSS must be met by all organisations (merchants and service providers) that transmit, process or store payment card data, or directly or indirectly affect the security of cardholder data. If an organisation uses a third party to manage cardholder data, it has a responsibility to ensure that the third party is compliant with the PCI DSS.
The PCI DSS (sometimes referred to as a compliance standard) is not a law. It is a contractual obligation applied and enforced – by means of fines or other restrictions – directly by the payment providers themselves.
The currently applicable version of the PCI DSS, since May 2018, is version 3.2.1; subject to licence, it can be freely downloaded. It is published and controlled by the PCI SSC on behalf of its five founding members.
In June 2015, the PCI SSC introduced the concept of ‘designated entities’. These are high-risk entities that can be prescribed a set of supplemental validation requirements to demonstrate ongoing security efforts to protect payments.
The SSC also defines qualifications for Qualified Security Assessors (QSAs), Internal Security Assessors (ISAs), PCI Forensic Investigators (PFIs), PCI Professionals (PCIPs), Qualified Integrators and Resellers (QIRs) and Approved Scanning Vendors (ASVs). It trains, tests, certifies and runs quality assurance programmes for these certifications.
The PCI DSS is a set of 12 requirements that are imposed on merchants and other related parties. These requirements are described later in this pocket guide.
Key definitions and acronyms in the PCI DSS 
Acquirer – a bank that acquires merchants – i.e. the bank with which you have your e-commerce bank account.
Payment brand – Visa, Mastercard, American Express, Discover, JCB.
Merchant – sells products to cardholders.
Service provider – a business entity that is directly or indirectly involved in the processing, storage, transmission and switching of cardholder data. This includes companies that provide services to merchants, service providers, or members that control or could impact the security of cardholder data.
Service providers include:
- Third-party processors (TPPs), which process payment card transactions (including payment gateways); and
- Data storage entities (DSEs), which store or transmit payment card data.
Primary account number (PAN) – the up-to-19-digit payment card number.
Qualified Security Assessor (QSA) – someone who is trained and certified to carry out PCI DSS compliance assessments.
Internal Security Assessor (ISA) – someone who is trained and certified to conduct internal security assessments.
Approved Scanning Vendor (ASV) – an organisation that is approved as competent to carry out the security scans required by the PCI DSS.
PCI Forensic Investigator (PFI) – an individual trained and certified to investigate and contain information security breaches involving cardholder data.
This is an extract taken from PCI DSS: A pocket guide, sixth edition
©IT Governance Publishing Ltd
An ideal introduction to PCI DSS v3.2.1
Now in its sixth edition, PCI DSS: A pocket guide provides all the information you need to comply with PCI DSS v3.2.1. This handy guide:
- Explains the fundamental concepts of PCI DSS v3.2.1;
- Is perfect as a quick reference for PCI professionals, or as an introduction for new staff;
- Covers the consequences of a data breach, and how to comply with the Standard, giving real, practical insights; and
- Teaches you how to protect your customers’ cardholder data with best practice from PCI DSS v3.2.1.
Available in softcover, Adobe eBook and Adobe ePub.