Payment Card Industry Data Security Standards (PCI DSS) are guidelines developed by major credit card companies such as MasterCard, Visa, Discover, American Express, and JCB. PCI DSS was created and updated to help credit card processing companies and organizations prevent credit card fraud and breaches of cardholder information.
Any entity that processes, stores, or transmits credit card numbers must comply with the PCI standard. Organizations that do not comply with PCI DSS standards may lose the ability to accept credit cards as a form of payment.
PCI DSS Requirements
PCI SSC (The Payment Card Industry Security Standards Council) establishes technical and operational requirements to protect cardholder data. The PCI council is in charge of enforcing security standards.
The PCI Data Security Standard (PCI DSS) covers technical and operational system components included in or dependent on cardholder data. There are 12 specific requirements specified by PCI. These requirements are organized into six control objectives or general objectives of PCI.
If you are a merchant that accepts or processes payment cards, you must comply with PCI DSS. PCI DSS is developed and designed to protect cardholder data when processed, stored, or transmitted. PCI DSS-compliant security controls and processes are critical for protecting cardholder account data, including the PAN, the primary account number printed on the face of a payment card.
After authorization, merchants and other payment card processing service providers should never store sensitive authentication data. Sensitive authentication data includes sensitive data printed on a card or stored on a card’s magnetic stripe or chip and personal identification numbers entered by the cardholder.
How Many PCI DSS Control Objectives Are There and What Are the PCI DSS Control Objectives?
PCI SSC has developed controls to protect electronic or physical forms of payment, with or without a card transactions. PCI DSS controls constantly evolve to keep up with changing technologies and hackers’ ability to compromise them.
The Payment Card Industry Data Security Standard (PCI DSS), Version 3.2.1, which went into effect in May 2018, has six control objectives and 12 essential requirements. The following clauses define the control objectives and related 12 requirements of PCI DSS:
- PCI DSS Control Objective 1: Establish and maintain a secure network.
- PCI Requirement 1. Install firewalls and web filtering to protect cardholder data.
- PCI Requirement 2. Change default or vendor-supplied device security configurations.
- PCI DSS Control Objective 2: Protect payment card and cardholder data.
- PCI Requirement 3. Protect cardholder data stored on company servers or networks.
- PCI Requirement 4. Encrypt and protect cardholder data transmitted over open and public networks.
- PCI DSS Control Objective 3: Maintain a vulnerability management program.
- PCI Requirement 5. Use and keep up-to-date antivirus and malware software to protect cardholder data.
- PCI Requirement 6. Develop and maintain secure systems and applications. Use secure protocols in all applications.
- PCI DSS Control Objective 4: Implement strong access control measures. Protect identity and access management.
- PCI Requirement 7. Restrict access to cardholder data by need-to-know.
- PCI Requirement 8. Restrict all access to cardholder data to authenticated users and assign a unique ID to each person with access.
- PCI Requirement 9. Limit physical access to cardholder data through physical hardware and devices.
- PCI DSS Control Objective 5: Monitor and test networks and network traffic regularly and regularly evaluate their effectiveness.
- PCI Requirement 10. Monitor all access to network resources and especially cardholder data.
- PCI Requirement 11. Regularly evaluate and test the effectiveness of existing security systems and processes.
- PCI DSS Control Objective 6: Maintain a personnel-wide information security policy.
- PCI Requirement 12. Maintain a policy that addresses information security, is accessible, and appealing to all personnel.
PCI DSS is a worldwide data security standard that payment card companies have adopted to address credit card security for all entities that process, store, or transmit cardholder data or sensitive authentication data. It is made up of steps that adhere to security best practices.
PCI DSS requirements and control objectives apply to all companies that process payments by card. PCI DSS also applies to all companies that store, transmit, or contact protected cardholder data.