PCI-DSS-A standard for pleasure in Payment Card Industry

By

Ravi K.Mishra

MSCLIS

IIIT-Allahabad

Introduction

In the era of e -commerce everyone is directly or indirectly associated with payment card industry, and standards like PCI-DSS which governs and regulates payment card industry, directly has a significant impact on everybody. “PCI-DSS” may be a new term for one who does not have direct relation with payment card industry but PCI-DSS is not novice for payment card industry. PCI-DSS stands for Payment Card Industry Data Security Standards. PCI-DSS was designed and controlled by Payment Card Industry Data Security Council (PCI-DSC) to protect card holder data information form various threats. Initial members of PCI-DSC were American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International.

PCI-DSS is a set of guidelines, procedures, and counter measures that were developed to help merchants and service providers implement strong security precautions to ensure safe credit card usage and secure information storage. The PCI DSS was designed not only to address the most common consumer fears in making credit card transactions, but also to ensure that the “merchants” who process credit card transactions become more accountable.

Due to an escalating number of payment card violations within both the Service Provider and merchants, organizations are now pressurized from acquirers to become PCI DSS compliant.

According to PCI-DSS a “merchant” is defined as “any entity that accepts payment cards as payment for goods and/or services. A “service provider’ is defined as a business entity (not a card brand or merchant) directly involved in the processing, storage, transmission, and switching of transaction or cardholder data.

Extent of PCI DSS

The PCI DSS pertains to any category of medium on which payment card data may be held - this comprises hard disk drives, floppy disks, magnetic tape and back up media, but also embraces printed/handwritten credit & debit card receipts where the full card number is printed.

PCI DSS compliance requirements

PCI-DSS principally requires merchants and service providers who store, process or transmit cardholder data to fulfil 12 requirements grouped in 6 logical groups. These logical groups are

(1) Build and maintain a secure IT network

(2) Protect cardholder data

(3) Maintain a vulnerability management program

(4) Implement strong access control measures

(5) Regularly monitor and test networks

(6) Maintain an information security policy

There are various levels mentioned in PCI-DSS for Merchants as well as Service Providers. Levels have been categorized on the basis of volume of transactions. Based on their number of transactions, various mandates are mentioned which is required to be followed by the respective level organizations.

One of mentioned mandates are SAQs (Self-Assessment Questionnaire ). The PCI Data Security Standard Self-Assessment Questionnaire is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS).  There are multiple versions of the PCI DSS SAQ to meet various scenarios. The other mandatory requirements are onsite assessments network vulnerability scans

Where obligatory onsite assessments and network vulnerability scans are performed by vendors which are appointed by the card schemes known as Qualified Security Assessor (QSA),the results are communicated to the card schemes’ and it is the basis of any remediation required. Details are published on the card schemes’ websites.

The cost of certification will be entirely dependent on the capacity of card transactions.. The cost of any remediation services is dependent on a pre-compliance review and/or on-site audit and therefore, will be specific to individual merchants.

 In the event of a security breach, penalties for non-compliance are imposed. We understand currently these to be in the order of: