The Payment Card Industry Data Security Standard (PCI DSS) is a set of policies and procedures to optimize the security of credit, debit and cash card transactions and protect cardholders against theft of their personal information.
In other words, if any customer ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply. This standard was created in 2004 by four major credit card companies: Visa, MasterCard, Discover and American Express.
There are two ways to perform the annual validation of compliance, either by an external Qualified Security Assessor (QSA) that generates a Report on Compliance (ROC) for companies dealing with large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for the ones that handle smaller volumes.
The main objectives of control of the PCI DSS are creation and maintenance a secure network, protection of cardholder data, maintenance of a vulnerability management program and an information security policy, implementation of strong access control measures.
What are levels of PCI DSS certification?
All merchants will fall into one of the four merchant levels based on quantity of transactions over a 12-month period.
Level 1 Any merchant who processes over 6M transactions per year.
Level 2 Any merchant who processes 1M to 6M transactions per year.
Level 3 Any merchant who processes 20,000 to 1M e-commerce transactions per year.
Level 4 Any merchant who processes fewer than 20,000 e-commerce transactions per year and all other merchants who process up to 1M Visa transactions per year.
What are main requirements of the PCI DSS?
All the transactions must be conducted within secure network. In addition, authentication data must not involve defaults supplied by the vendors. Customers should have the possibility to conveniently and frequently change such sensitive data.
Stored cardholder information must be protected and their details should be secure against fraudsters. A unique code should be assigned to each person with computer access. When such data is transmitted through public networks, it must be encrypted in an effective way.
All the systems should be regularly improved and protected by using up-to-date anti-malware solutions. All applications should be free of vulnerabilities that might this can lead you to steal or misuse of cardholder data.
Access to system information and operations should be restricted and controlled. Cardholder data should be protected physically as well as electronically.
Сonstant monitoring should be performed to ensure that all security measures and processes are in place, function properly and use up-do-date technologies.
A formal information security policy must be defined, maintained and followed constantly and by all participating entities.
Nowadays, the importance of sensitive date security is obvious. You should make sure your customers’ payment card data is being kept safe and protected against the pain and cost of data breaches.