What is PCI DSS ?

by Süleyman Petek 3. July 2015 21:46
Payment Card Industry Data Security Standard aka PCI DSS

Payment Card Industry Data Security Standard a.k.a PCI DSS is a set of policies and procedures for fine tuning the cards that you use instead of money.  

As they define in their website "The PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security. These materials include a framework of specifications, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information at every step. The keystone is the PCI Data Security Standard (PCI DSS), which provides an actionable framework for developing a robust payment card data security process  including prevention, detection and appropriate reaction to security incidents."

When you think of your daily life,

  • you work for money for a month
  • at the end of the month you earn your salary and it is transferred to your account
  • you pay your bills online
  • you use credit card / debit card while you are at a cafe/bar restaurants etc.
  • you use credit card while you shop online
  • bla bla
Did you notice that you do not see the money physically indeed ! You just see numbers on your screen whether on a mobile phone or website of your bank. As a customer of your bank, you should be confident about your privacy and security. 

Comparing the old days, the way thieves work changed a lot. When a was a child, Lucky Luke was protecting the bank from the Dalton's.


Now life is easier but somehow life is easier for the thieves also. So you need a proven security guidance. When you comply with PCI DSS, 

  1. Your customers will believe that they are secure as they have money related work with you
  2. This trust will make a positive feedback in your business
  3. Your partners will feel also trusted
  4. Having reputation among business partners will also bring the new partners and new customers 
In order to comply with PCI DSS you need these below, there are 6 main goals and 12 requirements are issued :

Say that you have done all of them above, then what is next ? The answer is audit. You will be audited by a  QSA (Qualified Security Assessor) and ASV (Approved Scanning Vendor) who are authorized by PCI. In some cases, the company is not ought to be audited on place, they can prove their compliance via SAQ (Self-Assessment Questionaire).

Major payment card brands has created their own security guidelines based on PCI DSS, for instance Visa is like below.

For further information you can check this out.

According to the document, the PCI DSS applies to "all entities involved in payment card processing - including merchants, processors, financial institutions and service providers, as well as all other entities that store, process, or transmit cardholder data and/or sensitive authentication data."

The standard defines cardholder data (CHD) and sensitive authentication data (SAD) as follows:

Cardholder Data

  • Primary Account Number (PAN)
  • Cardholder Name
  • Expiration Date
  • Service Code

Sensitive Authentication Data

  • Full track data (magnetic stripe data, or its equivalent on a chip)
  • CAV2/CVC2/CVV2/CID numbers
  • PINs/PIN blocks

If you're confused about how to get started with this process, then contracting a qualified assessment firm can help you to pinpoint any areas of improvement in your existing security policies.

Tags: , ,

IT Security

Add comment


<<  May 2021  >>

View posts in large calendar