How to meet the latest payment card industry data security standards
If your business processes card transactions, protecting this highly sensitive information should be a high priority. Failure to introduce and maintain appropriate payment security standards could result in your organisation receiving significant fines and suffering serious reputational damage.
However, putting in place the range of controls needed to achieve compliance with the latest Payment Card Industry Data Security Standards (PCI DSS) can place a strain on your organisation.
As a leading provider of managed security and assessment services, Redscan can help your organisation to understand and implement the technical and operational controls needed to fulfil PCI requirements.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard that protects against credit card fraud as well as many other security threats and gaps. Credit and debit card issuers, such as MasterCard and Visa, employ the security controls and processes defined in PCI DSS.
PCI DSS is also used by organisations that store, manage, and transmit credit card information. The most recent version of PCI DSS, 3.2, was released in April 2016.
PCI SSC (Payment Card Industry Security Standards Council) is a governing body established in September 2006 as a joint venture by MasterCard, American Express, Visa, JCB International, and Discover Financial Services. It holds the mandate of managing the development of PCI and the alignment of policies to the PCI DSS.
The PCI DSS is a minimum set of technical and organisational requirements designed to help businesses protect customers’ cardholder data against fraud through robust payment security.
All organisations that accept or process credit card payments are required to undertake an annual PCI DSS audit of security controls and processes, covering areas of data security such as retention, encryption, physical security, authentication and access management.
PCI DSS is enforced by the founding members of the PCI Council: American Express, Discover Financial Services, JCB, MasterCard and Visa Inc. Organisations deemed to fall short of required payment security standards, or those who are not working towards achieving compliance, are liable to receive a fine.
What we do
RNR helps organizations with the implementation of PCI DSS security standards designed to protect cardholder data. It is required by all organizations that store, process, or transmit cardholder data.
Under our PCI DSS services, we cover all aspects of cardholder data security, from physical security to network security to application security. It includes requirements for things like and we are here to take care of it all:
- Strong passwords and access controls
- Vulnerability scanning
- Data encryption
- Incident response
By using these services, organizations can improve their PCI DSS compliance posture and reduce their risk of being fined by payment card brands or losing customers due to a data breach. Get in touch with us and secure your business from all threats.
PCI DSS frequently asked questions
What cardholder data is protected?
PCI DSS applies to all organisations, such as merchants and service providers, that store, process and transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
Cardholder data includes: Primary Account Number, Cardholder Name, expiration date and service code.
Sensitive authentication data includes full track data (magnetic stripe data or equivalent on a chip) and CAV, CVC, CVV and CID numbers, PINS and PIN blocks.
What is within the scope of a PCI DSS assessment?
The PCI DSS security requirements apply to all system components included in or connected to an organisation’s cardholder data environment (CDE). The CDE encompasses all people, processes and technologies that store, process, or transmit cardholder and sensitive authentication data.
PCI DSS can apply across the whole of an organisation, or to a subset of it if the CDE has been correctly compartmentalised. System components in scope include network devices, servers, computing devices, and applications.
Can cardholder data be stored?
Under PCI DSS, merchants and service providers are permitted to store cardholder data. Subject to specific usage and protection requirements, some acquirers may permit sensitive authentication data to be stored but only prior to payment authorisation.
What’s the difference between merchants and service providers?
A merchant is defined as any entity that accepts payment cards from any of the five founding members of the PCI Security Standards Council (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.
A service provider, on the other hand, is a business entity that is not a payment brand and is directly involved in the processing, storage, or transmission of cardholder data. If an organisation provides a service that involves only the provision of public network access, such as a telecommunications company providing a communication link, the organisation is not considered a service provider.
Note: Where a merchant stores, processes or transmits cardholder data on behalf of other merchants or services providers, it can also be a service provider.
PCI requirements
The PCI DSS version 3.2 encompasses six key objectives, split across a set of 12 requirements.
Key PCI DSS requirements:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management programme
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
What is Application Security?
Effective Security Testing Safeguards your Applications from Cyber Threats & Vulnerabilities
RNR Application Security Testing helps you detect application vulnerabilities, provide full coverage for Web and Mobile application infrastructure and online services, and reduce risks to meet regulatory compliance requirements. Our Application Security Methodology extends beyond scanning software detection to identify and prioritize the most vulnerable aspects of your online application, as well as come up with practical Solutions.
Leave us message