The term PCI stands for Payment Card Industry and we are all quite familiar with the different types of credit card / payment solutions available such as Master Card, PayPal and Visa etc. This article will further discuss how these companies maintain their security of data. manage cardholders.
These companies work according to the standards of PCI DSS, which stands for Payment Card Industry Data Security Standard. According to these standards, cardholder information must be kept secure.
History of PCI DSS
There are five programs:
1. American Express Corporate Data Security Policy
2. Discover information security and compliance
3. JCB’s data security program
4. Data protection of the Master Card
5. Visa Card Holder Information Security Program
They were initiated by these credit card companies. Every company’s intent was almost the same; and that was to develop an additional layer of protection for cardholders and card issuers, by ensuring that merchants meet the minimum levels of security when processing, storing and transmitting credit card information.
These same ideas led to the creation of the Payment Card Industry Security Standards Council (PCI SSC), and the companies combined their policies to create the PCI DSS.
There have been a number of versions of the PCI DSS so far, with the first version 1.0 released on December 15, 2015 and the last version 3.2, launched in April 2016.
Why is there a need for PCI DSS
The PCI DSS has been developed to limit credit card fraud. However, PCI Compliance is more about security than compliance. The purpose of PCI Compliance is to confirm that security standards are met in the processing of customer payments and in the management of customer data.
Verification of PCI compliance is checked annually by a QSA (Qualified Security Assessor), who creates a ROC (Report on Compliance). While this is generally true for businesses that handle millions of transactions, businesses with less volume only need to complete a self-assessment (SAQ) questionnaire as a means of reporting PCI Compliance.
The PCI DSS has established twelve requirements for PCI compliance, which are divided into six groups known as audit objectives. Each version of the PCI DSS has categorized these twelve requirements differently, into a number of sub-requirements; yet the twelve major requirements have not changed from the time the standard was introduced.
Objectives and requirements:
1. Develop and manage a secure network
I. Establish and maintain a firewall configuration to protect cardholder data.
ii. Do not use vendor-supplied default values as system passwords or for other security setups.
2. Keep cardholder information protected
iii. Protect the cardholder’s stored data.
iv. Convert the card’s cardholder data into codes over open and public networks.
3. Maintain the vulnerability of the management tool
v. Regularly use and update anti-virus programs on the system most likely to be affected by malware.
saw. Build and maintain only secure systems and applications.
4. Use strong control over data access
vii. Prevent companies from accessing cardholder data.
viii. Give each user with computer access a unique access ID.
ix. Physically restrict access to cardholder data.
5. Monitor and test networks regularly
X. Track access to cardholder information and network resources.
xi. Regularly test security processes and systems.
6. Maintain information security policies
xii. Maintain a policy related to information security.