PCI DSS – What You Need to Know

6. April 2023

In this short series we provide you with useful facts about the Payment Card Industry Data Security Standard. Be well informed on your PCI DSS certification.

Part 1: What is the Payment Card Industry Data Security Standard?

Payment card data is a very sought-after target for cyber criminals. In many cases, it can easily be stolen, especially from smaller companies, and turned into money with relatively little effort. Whether the attacks are carried out by professional hackers or malicious insiders: the criminals are usually highly organized, and the business with stolen payment card information is flourishing.

Discovery of theft of payment card information initially leads to a series of costly investigations. These investigations are followed by claims for damages and penal fines. Finally, publication of the incident by the press results in a loss of reputation from which a company can only recover with great effort. Customer confidence dwindles and your business suffers lasting damage.

This is why in October 2004, the payment card industry founded the Payment Card Industry Security Standards Council (PCI SSC) which developed the worldwide valid Payment Card Industry Data Security Standard (PCI DSS) by standardizing the security guidelines of the individual payment card schemes.

The PCI DSS is based on best practices and is continuously updated to counter current threats. It provides the basis for a standardized approach to protecting payment card data and includes both technical and organizational measures. If these measures are implemented, their combined effects provide a minimum level of security of payment card data.

Validating your company’s compliance with the PCI DSS can significantly influence the question of liability if a case of a payment card theft is detected. However, you must provide evidence that you had implemented and complied with all measures specified by the PCI DSS at the time of the incident.

The Main Target of Cyber Criminals

The number one target for cyber criminals are not the physical cards themselves, but the payment card data. Criminals are particularly interested in stealing these types of data:

• Cardholder name
• Expiry date
• Credit card number (PAN)
• Verification code (CVC2/CVV2/…)

This data is either printed on the card or stored on the chip and the magnetic strip. Once in possession of this data, criminals can make payments to the cardholder’s expense – e.g. on the internet. In some cases, the payment card number alone (without card verification code) is sufficient to make a purchase.

Credit card thieves often sell stolen data on to others, e.g. through an organized black market for stolen credit card data on the internet. The criminals are usually highly organized and operate internationally. Since it is almost impossible to trace their activities, their risk of being caught is relatively low.

The measures imposed by the PCI DSS focus on securing potential attack channels and therefore offer a significant level of protection for payment card data.

PCI DSS v4.0 is here

On March 31, 2022, the PCI Security Standards Council (PCI SSC) published version 4.0 of PCI DSS - the most comprehensive update of the security standard for credit card data ever. As of March 31, 2024, PCI DSS v4.0 will completely replace the previous version 3.2.1. 

Do you have any questions about the PCI DSS or your PCI DSS compliance validation? Contact us, we are happy to help.

Also interesting:

Setting off for DORA – Your Preparation in 3 Steps

Setting off for DORA – Your Preparation in 3 Steps

DORA, the Digital Operational Resilience Act, is currently keeping the entire European financial sector on tenterhooks. The European Commission's regulation is accompanied by extensive requirements for digital resilience and there is less than a year left to implement...

What Cyber Security Has to Do with Your Annual Financial Statements

What Cyber Security Has to Do with Your Annual Financial Statements

Inadequate cyber security is one of the biggest risks for companies today. This is the assessment of the World Economic Forum, which ranks cyber insecurity as the fourth biggest risk for the next two years in its Global Risks Report 2024. That is why cyber security...