In this short series we provide you with useful facts about the Payment Card Industry Data Security Standard. Be well informed on your PCI DSS certification.
What are the PCI DSS requirements?
The PCI DSS comprises a total of 6 control objectives, which are divided into 12 main requirements with a total of 329 individual requirements. You can view the complete standard with all individual requirements on the PCI Security Standards Council website. The requirements are of a technical, organizational and documentary nature.
Control Objectives& Main Requirements
- Build and Maintain a Secure Network
1) Install and maintain a firewall configuration to protect cardholder data
2) Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect Cardholder Data
3) Protect stored cardholder data
4) Encrypt transmission of cardholder data and other sensitive information across open, public networks
- Maintain a Vulnerability Management Program
5) Use and regularly update anti-virus software
6) Develop and maintain secure systems and applications
- Implement Strong Access Control Measures
7) Restrict access to cardholder data by business need to know
8) Assign a unique ID to each person with computer access
9) Restrict physical access to cardholder data
- Regularly Monitor and Test Networks
10) Track and monitor all access to network resources and cardholder data
11) Regularly test security systems and processes
- Maintain an Information Security Policy
12) Maintain a policy that addresses information security
In many cases of credit card theft, investigators discover that one or more of the PCI DSS requirements had not been implemented at the time of the incident. Numerous studies have shown that more than 75% of all attacks could have been avoided by relatively simple measures and low (financial) effort.
Compliance with all PCI DSS requirements not only ensures a noticeably higher level of security throughout your organization, but also provides the following benefits:
- You can identify risks associated with processing credit card and other customer information
- You demonstrate to your customers that you take the security of their data seriously
- You improve your protection against financial liability risks, legal costs and costs for the preservation of evidence
- You avoid negative press
Who must comply with the PCI DSS requirements?
Every company that stores, processes, or transmits credit card data must comply with the PCI DSS requirements and validate compliance once a year.
You store, process or transmit credit card data if you receive complete credit card numbers or expiration dates from your customers on your IT systems for your own use or to pass on to third parties. The duration of the processing (short-term or long-term storage, processing or forwarding) and the encryption of the data are irrelevant. Reception of customer-specific credit card data on your IT systems is the crucial criterion.
How do I prove that I meet the PCI DSS requirements?
In general, the obligation to validate compliance with PCI DSS applies to every company, regardless of its size and the annual number of credit card transactions it processes. The assessment methods with which a company must demonstrate compliance with PCI DSS, however, vary in depth and scope based on the annual transaction volume:
Small and medium-sized merchants and service providers can usually validate their PCI compliance by means of a self assessment. To do this, they must select the appropriate Self-Assessment Questionnaire (SAQ) for their company from a number of different questionnaires and fill it in truthfully.
Large merchant companies and service providers usually have to validate their PCI compliance through an extensive on-site assessment, which must be carried out by a Qualified Security Assessor accredited by the PCI Council.
Do you have questions about PCI DSS requirements or your PCI DSS compliance validation? Contact us, we will be happy to help you.