What is the PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is administered by the PCI Security Standards Council (PCI SSC) to decrease payment card fraud across the Internet and increase payment card data security. Organisations that accept, store, transmit or process cardholder data must comply with the PCI DSS.
If you are a merchant, the PCI DSS applies to you. Even if you have subcontracted all PCI DSS activities to a third party, you are still responsible for ensuring all contracted parties are compliant with the Standard.
If you are a service provider, including a software developer, the PCI DSS applies to you if you process, transmit or store cardholder data, or your activities affect the security of the cardholder data as it is being processed, transmitted or stored.
Which version of the PCI DSS do I need?
The PCI DSS is currently in version 3.2. Version 3.0 was published in November 2013 and updated to version 3.2 in April 2016.
The changes help companies make the PCI DSS part of their business-as-usual activities by introducing more flexibility and an increased focus on education, awareness and security as a shared responsibility.
Find out more about PCI DSS v3.1 and 3.2 here >>
Organisations will be assessed against the changes introduced by the latest version at their next assessment or audit, once version 3.1 is retired in October 2016. As an approved QSA company, IT Governance is ideally positioned to help and advise organisations on the applicability of the PCI DSS and the transition to v3.2.
Visit our PCI Consultancy page for more information or get in touch via email or by calling us on 00 800 48 484 484.
PCI compliance and assessment products and services
Scope of the PCI DSS
The PCI DSS can apply across the whole of your organisation, or to a subset of your organisation if you have correctly compartmentalised the processing, transmission or storage of cardholder data.
The Standard applies to all people, processes and technologies that are involved in the processing, transmission or storage of cardholder data. It does not just cover electronic systems, but extends to paper records, such as receipts, mail order forms, etc., and recordings of phone conversations if they capture cardholder data read out to call centre operators. IT Governance can advise on scoping the cardholder data environment within your organisation.
Achieving compliance with the PCI DSS
Compliance with the PCI DSS is demonstrated by the merchant or service provider successfully completing an audit of the cardholder data environment against the Standard. The type of audit depends on the compliance requirements of the payment brand and the level of the merchant or service provider as defined by the payment brand. The types of validation are:
PCI DSS compliance criteria and PCI levels
Compliance is driven from the payment brands (Visa, American Express, MasterCard, etc.) downwards. The payment brands require compliance from acquiring banks and, consequently, all of their merchants as well. As part of the process, merchants will ask their service providers to be compliant.
The criteria that a merchant or service provider has to meet are set by the individual payment brands. Each payment brand has its own compliance programme and sets criteria for compliance based on the volume of transactions made by a merchant or service provider. In general, there are four merchant levels and two levels of service provider, but this varies by payment brand.
The applicable merchant levels are set by the payment brands and are usually based on transaction volumes, in addition to whether the organisation has been breached before. Click on the relevant payment brand to view the merchant criteria:
PCI DSS compliance requirements
The Standard requires all applicable merchants and member service providers (MSPs) involved with the storage, processing or transmitting of cardholder data to:
- Build and maintain a secure IT network;
- Protect cardholder data;
- Maintain a vulnerability management programme;
- Implement strong access control measures;
- Regularly monitor and test networks;
- Maintain an information security policy.
Further information on PCI DSS compliance requirements
Understanding the PCI DSS
The PCI DSS compliance process can take anywhere from a day to many weeks, depending on the specific requirements a company is expected to meet. Organisations that currently have a good level of information security are likely to achieve compliance faster than those that do not.
A great point of reference for those who prefer straightforward facts:
The PCI DSS requirements related to penetration testing and vulnerability assessments
Requirement 11 of the PCI DSS states that organisations should regularly and frequently carry out tests to identify unaddressed security issues and scan for rogue wireless networks.
Which test are you required to perform under the PCI DSS?
Use our handy table to view the penetration testing requirements for merchants and service providers.
IT Governance provides the following testing services in each of the various PCI DSS compliance categories:
Purchase the required test