Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) is an information security that provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or

sensitive authentication data (SAD).

The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually, either by an external Qualified Security Assessor (QSA) or by a firm-specific Internal Security Assessor (ISA) that creates a report on compliance for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.

The PCI Data Security Standard specifies twelve requirements for compliance, organized into six logically related groups called “control objectives.” These six groups are:

 

  1. Build and Maintain a Secure Network and Systems
  2. Protect Cardholder Data
  3. Maintain a Vulnerability Management Program
  4. Implement Strong Access Control Measures
  5. Regularly Monitor and Test Networks
  6. Maintain an Information Security Policy
Frequently Asked Questions
What information is protected by PCI DSS?

Information protected by PCI DSS includes cardholder data and sensitive authentication data. Cardholder data includes (i) Primary Account Number (PAN), (ii) Cardholder Name, (iii) Expiration Date, and (iv) Service Code.
Sensitive Authentication Data includes (i) full track data (magnetic-stripe data or equivalent on a chip), (ii) CAV2/CVC2/CVV2/CID, and (iii) PINs/PIN blocks.

What does PCI DSS apply to?

PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

Does PCI DSS affect the authentication process?

PCI DSS requires MFA to be implemented as defined in Requirement 8.3 and its sub-requirements. Multi-factor authentication requires an individual to present a minimum of two separate forms of authentication before access is granted.

Is Two-Step Authentication Acceptable for PCI DSS Requirement 8.3?

Requirement 8.3 calls for multi-factor authentication that requires an individual to present a minimum of two separate forms of authentication (as described in Requirement 8.2) before access is granted. Requirement 8.2 requires that non-consumer users and administrators on all system components be authenticated by employing at least one of the following methods to authenticate all users:
• Something you know, such as a password or passphrase
• Something you have, such as a token device or smart card
• Something you are, such as a biometric.

What does PCI DSS recommends when it comes to authentication?

PCI DSS requires multi-factor authentication for all non-consumer users and administrators on all system components. Authentication should include a minimum of two separate forms of the following authentication methods:
• Something you know, such as a password or passphrase
• Something you have, such as a token device or smart card
• Something you are, such as a biometric

Who needs PCI DSS compliance certification?

PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

What are the PCI compliance levels and requirements?

There are two types of PCI DSS assessment reports – Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC). The PCI DSS audit and report depends on the type of the organization (merchant or service provider), the volume of annual transactions, and the payment channels adopted. Each payment brand (American Express, Discover, JCB, MasterCard and Visa) has its own compliance requirements, and eligibility criteria for SAQ or ROC.