pci compliance standards

pci compliance standards - The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard established in December 2004 by the Payment Card Industry Security Standards Council. The PCI DSS was designed to help organizations belonging to the payment card industry (PCI) - that is, debit, credit, prepaid, e-purse, ATM, and point-of-sale (POS) companies - prevent credit card fraud by way of increased controls around their sensitive data and their exposure to compromise. The PCI Standard applies to all organizations that hold, process, and/or exchange cardholder information with any card company.

All organizations that deal with cardholder information are required to go through annual PCI DSS compliance assessments, during which the organizations' compliance with the Standard must be assessed and validated. There are two methods for validating an organization's compliance with the PCI DSS:

    Organizations handling large volumes of transactions must have their compliance assessed and verified by an independent assessor known as a Qualified Security Assessor (QSA).
    Businesses that handle smaller volumes of PCI card transactions may complete a self-certification of their PCI compliance using a Self-Assessment Questionnaire (SAQ); however, in some areas, organizations performing SAQ's must still have their compliance verified by a QSA.

Organizations that fail to comply with the PCI Standard and continue to maintain relationships with one or more card companies risk losing their abilities to process credit card payments, in addition to being audited and/or fined.

Although it is often stated that there are only 12 requirements for PCI compliance, there are, in fact, over 220 sub-requirements contained in the Standard. This makes PCI compliance difficult to understand and hard to follow, especially for smaller retailers and ecommerce stores. Indeed, even Michael Jones, CIO and Senior Vice President of Michaels' Stores, has testified that the PCI requirements are "very expensive to implement, confusing to comply with, and ultimately subjective, both in their interpretation and in their enforcement." Perhaps most surprisingly, some merchants have even suffered at the hands of their own POS vendors, who have used the issue of PCI compliance to force retailers into more frequent, and thus more expensive, equipment upgrades.

The most current version of the PCI DSS (v 1.2, issued October 1, 2008) organizes the 12 compliance standards into six groups, called "control objectives," as follows:

    Build and maintain a secure network. This involves such efforts as installing and maintaining a firewall and establishing strong passwords on vendor equipment.
    Protect cardholder data, i.e., by encrypting transmission of these data across public networks.
    Maintain a vulnerability management program, i.e. by regularly updating anti-virus software and maintaining secure systems and applications.
    Implement strong access control measures by, for instance, restricting access to cardholder data to only those who need to know the information, assigning unique IDs to all individuals with computer access, restricting physical access to cardholder data, etc.
    Regularly monitor and test networks.
    Maintain an information security policy.


pci compliance standards
Clearly, complying with the PCI DSS can be expensive, especially for smaller retailers and ecommerce stores. The simplest solution to alleviating these costs is to simply refrain from retaining customer credit card information. Still, organizations that deal with cardholder data should ensure that they are properly addressing PCI compliance measures, in order that they may continue to process card payments.