PCI DSS – What You Should Know

12. November 2019

In this short series we provide you with useful facts about the Payment Card Industry Data Security Standard. Be well informed on your PCI DSS certification.

Part 1: What is the Payment Card Industry Data Security Standard?

Payment card data is a very sought-after target for cyber criminals. In many cases, it can easily be stolen, especially from smaller companies, and turned into money with relatively little effort. Whether the attacks are carried out by professional hackers or malicious insiders: the criminals are usually highly organized, and the business with stolen payment card information is flourishing.

Discovery of theft of payment card information initially leads to a series of costly investigations. These investigations are followed by claims for damages and penal fines. Finally, publication of the incident by the press results in a loss of reputation from which a company can only recover with great effort. Customer confidence dwindles and your business suffers lasting damage.

This is why in October 2004, the payment card industry founded the Payment Card Industry Security Standards Council (PCI SSC) which developed the worldwide valid Payment Card Industry Data Security Standard (PCI DSS) by standardizing the security guidelines of the individual payment card schemes.

The PCI DSS is based on best practices and is continuously updated to counter current threats. It provides the basis for a standardized approach to protecting payment card data and includes both technical and organizational measures. If these measures are implemented, their combined effects provide a minimum level of security of payment card data.

Validating your company’s compliance with the PCI DSS can significantly influence the question of liability if a case of a payment card theft is detected. However, you must provide evidence that you had implemented and complied with all measures specified by the PCI DSS at the time of the incident.

The Main Target of Cyber Criminals

The number one target for cyber criminals are not the physical cards themselves, but the payment card data. Criminals are particularly interested in stealing these types of data:

• Cardholder name
• Expiry date
• Credit card number (PAN)
• Verification code (CVC2/CVV2/…)

This data is either printed on the card or stored on the chip and the magnetic strip. Once in possession of this data, criminals can make payments to the cardholder’s expense – e.g. on the internet. In some cases, the payment card number alone (without card verification code) is sufficient to make a purchase.

Credit card thieves often sell stolen data on to others, e.g. through an organized black market for stolen credit card data on the internet. The criminals are usually highly organized and operate internationally. Since it is almost impossible to trace their activities, their risk of being caught is relatively low.

The measures imposed by the PCI DSS focus on securing potential attack channels and therefore offer a significant level of protection for payment card data.

Also interesting:

usd PCI Best Practice Workshop 2021

usd PCI Best Practice Workshop 2021

For many years, the usd PCI Best Practice Workshop has brought together responsible PCI personnel from companies of all sizes and from all industries to discuss current topics from the world of payment card industry together with PCI experts from usd. The interactive...

3 Reasons for a Cloud Security Audit

3 Reasons for a Cloud Security Audit

Outsourcing applications and data to the cloud brings significant benefits for companies, but at the same time also new challenges for the corresponding IT departments. The technologies and processes of a cloud environment differ from those of local data centers....

usd HeroLab Top 5 Vulnerabilities 2020: SMB 1.0 & SMB Signing

usd HeroLab Top 5 Vulnerabilities 2020: SMB 1.0 & SMB Signing

During penetration tests our security analysts repeatedly uncover gateways in IT systems and applications that pose significant risks to corporate security. They increasingly identify the same vulnerabilities in different IT assets, some of which have been known for...