PCI DSS – What You Should Know

12. November 2019

In this short series we provide you with useful facts about the Payment Card Industry Data Security Standard. Be well informed on your PCI DSS certification.

Part 1: What is the Payment Card Industry Data Security Standard?

Payment card data is a very sought-after target for cyber criminals. In many cases, it can easily be stolen, especially from smaller companies, and turned into money with relatively little effort. Whether the attacks are carried out by professional hackers or malicious insiders: the criminals are usually highly organized, and the business with stolen payment card information is flourishing.

Discovery of theft of payment card information initially leads to a series of costly investigations. These investigations are followed by claims for damages and penal fines. Finally, publication of the incident by the press results in a loss of reputation from which a company can only recover with great effort. Customer confidence dwindles and your business suffers lasting damage.

This is why in October 2004, the payment card industry founded the Payment Card Industry Security Standards Council (PCI SSC) which developed the worldwide valid Payment Card Industry Data Security Standard (PCI DSS) by standardizing the security guidelines of the individual payment card schemes.

The PCI DSS is based on best practices and is continuously updated to counter current threats. It provides the basis for a standardized approach to protecting payment card data and includes both technical and organizational measures. If these measures are implemented, their combined effects provide a minimum level of security of payment card data.

Validating your company’s compliance with the PCI DSS can significantly influence the question of liability if a case of a payment card theft is detected. However, you must provide evidence that you had implemented and complied with all measures specified by the PCI DSS at the time of the incident.

The Main Target of Cyber Criminals

The number one target for cyber criminals are not the physical cards themselves, but the payment card data. Criminals are particularly interested in stealing these types of data:

• Cardholder name
• Expiry date
• Credit card number (PAN)
• Verification code (CVC2/CVV2/…)

This data is either printed on the card or stored on the chip and the magnetic strip. Once in possession of this data, criminals can make payments to the cardholder’s expense – e.g. on the internet. In some cases, the payment card number alone (without card verification code) is sufficient to make a purchase.

Credit card thieves often sell stolen data on to others, e.g. through an organized black market for stolen credit card data on the internet. The criminals are usually highly organized and operate internationally. Since it is almost impossible to trace their activities, their risk of being caught is relatively low.

The measures imposed by the PCI DSS focus on securing potential attack channels and therefore offer a significant level of protection for payment card data.

Also interesting:

Software Security: Requirement and Threat Analysis

Software Security: Requirement and Threat Analysis

In practice, it is not an easy task for manufacturers to continuously integrate a strong security mindset into complex software projects. In our blog series, Stephan Neumann, Head of usd HeroLab, and Torsten Schlotmann, Head of PCI Security...

Security Advisory for VMware Workspace ONE Intelligent Hub

Security Advisory for VMware Workspace ONE Intelligent Hub

Our usd HeroLab pentesters have identified a vulnerability in VMware Workspace ONE Intelligent Hub software while conducting their security analyses. It is a Hidden Functionality / Backdoor (CWE-912) and affects the versions (Android) and 21.01.0 (build...

Security Advisory 11/2021

Security Advisory 11/2021

The usd HeroLabs pentesters have identified vulnerabilities in various products of well-known manufacturers while conducting their security analyses. These include the CVE database from the open source software company SUSE, an appliance from Sophos that is used in...