|October 11th, 2021
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store, or transmit credit card information maintain a secure environment. The PCI DSS Compliance applies to every organization irrespective of size or number of transactions, that accepts, transmits, or stores any cardholder data.
There are 4-merchant compliance levels sorted based on VISA transaction volume over 12 months.
Level 1 – Any merchant — irrespective of acceptance channel — processing over 6 million transactions per year.
Level 2 – Any merchant — irrespective of acceptance channel — processing between 1 million to 6 million transactions per year.
Level 3 – Any merchant — irrespective of acceptance channel — processing between 20,000 to 1 million transactions per year.
Level 4 – Any merchant — irrespective of acceptance channel — processing less than 20,000 transactions per year.
1. Installing and Maintaining Firewalls:
Firewalls ensure that attempts by foreign entities to access private data remain blocked.
2. Password Protection and Avoiding Generic Passwords:
Vendor-supplied generic passwords are not permissible. It is mandatory to maintain an inventory of all the systems, and configuration/hardening procedures.
3. Protection of Cardholder Data:
Card Data must be encrypted with industry-accepted algorithms. Along with card data encryption, this requirement also needs a PCI DSS encryption key management process.
4. Encryption of Transmitted Cardholder Data:
The card data must be secured when it is transmitted over an open or public network.
5. Using and Updating Anti-Virus Software:
Anti-virus or anti-malware programs should be installed to detect known malware. It is important to maintain an updated anti-malware program.
6. Maintaining Updates of Software:
All software involved in maintaining security and other necessary allied services must be often updated. Security patches if any should be installed immediately to fix the vulnerability.
7. Restricting Access to Cardholder Data:
The concept of need-to-know needs to be used here. Third parties, staff, etc., who do not require access to data should not be given access to such data.
8. Unique Access ID:
For individuals with access to the cardholder data, every individual must have a unique access ID to decrease vulnerability.
9. Physical Restrictions to Cardholder Data:
Cardholder data must be kept in a secured physical location. Surveillance and logs should also be maintained to ensure security on who has access to such data.
10. Maintaining Access Logs to Cardholder Data:
An access log must be maintained at all times for any activity on cardholder data and primary account numbers.
11. Test System for Vulnerabilities:
Malfunctions, out-of-date software, and human errors must be checked regularly to ensure a foolproof system.
12. Policy Documents:
All the above pointers can only be suitably implemented if proper documentation for each of them is maintained, right from access logs to all the compliances.
PCI DSS compliance is essential and a necessity. It is mandatory for anyone who is processing cards and obtaining or storing information of any cardholder. It is automatically stated that one will adhere to PCI DSS when they sign up with payment processing companies.