What is PCI Compliance?
This is a question KirkpatrickPrice, as a PCI QSA, is frequently asked. Let’s start with what it stands for.
PCI stands for the Payment Card Industry. When we talk about compliance, we’re talking about the PCI DSS, or Payment Card Industry Data Security Standard. The PCI DSS originated from efforts by major credit card brands (Visa, MasterCard, American Express, Discover, and JCB) to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.
PCI DSS 3.2, the current version of the standard, has approximately 394 controls. These controls are categorized under six control objectives and 12 major subject areas which address subjects such as firewall configuration, encryption, anti-virus, and information security policies. The standard’s purpose is to ensure that all of the data that lives within the Cardholder Data Environment, or CDE, is protected and secured from theft or unauthorized use. These 12 requirements are defined as follows:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
If you are a merchant, service provider, or subservice provider who stores, processes, or transmits cardholder data, you are subject to comply with the PCI DSS. If you have any questions about the process or are looking for a PCI Qualified Security Assessor (QSA) to assist with your PCI compliance audit, contact us today.
Randy Bartels of KirkpatrickPrice on PCI Compliance
PCI Compliance – what is it? We get this question a lot. PCI stands for the Payment Card Industry and they have a number of different standards. One of those standards is the Data Security Standard or the DSS. Nine times out of ten, when we’re talking to somebody about PCI compliance we’re talking to them about the Data Security Standard.
The Data Security Standard was born out of an initial effort by Visa and MasterCard, and was then joined by American Express, Discover and JCB. This is a set of nearly 300 requirements that reads kind of like a best practice document. So, these requirements are broken out into twelve domains, and those domains cover everything from firewall and having a secure network, to systems hardening and managing system configurations, to encryption in transit or in storage, antivirus, and all the way through to the very last domain covering information security policy and having an information security program.