PCI-DSS stands for Payment Card Industry Data Security Standards. This is the result of a collaboration which started in 2004 between the major debit and credit cards companies. American Express, Discover, JCB, MasterCard and Visa. A set of security standards were designed to ensure a secure environment is maintained by all companies who accept, process, store or transmit any cardholder data. This covers operational and technical practices for system components included in or connected to environments with cardholders data. On 7 September 2006, the Payment Card Industry Security Standards Council (PCI SSC) was created to manage the ongoing evolution of the Payment Card Industry (PCI) security standards. The focus is on improving payment account data security throughout the transaction process. This is achieved by developing standards and supporting services that drives education, awareness and effective implementation by stakeholders. There are four strategic pillars in this mission. These are: - Increase industry participation and knowledge - Evolve security standards and validation - Secure emerging payment channels - Increase standards alignment and consistency
Also, the founders recognised the importance of Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs) must be qualified by PCI SSC. The PCI DSS is administered and managed by the Payment Card Industry Security Standards Council - PCI SSC, an independent body that was also created by the major payment card brands. It is important to note that the payment companies and acquirers are responsible for enforcing compliance, not the PCI SSC.
If your business accepts, processes, stores or transmits payment card data, PCI DSS applies to your business therefore your business needs to comply with the standard. Merchants and service providers compliance requirements differ depending on a number of factors such as the size of the organisation and the volume of transactions it undertakes throughout the year. The criteria that a merchant or service provider has to meet are set by the individual payment card providers, each of which has its own compliance programme. PCI DSS compliance requirements vary depending on the number of transactions a business accepts. The following merchant levels apply (criteria is from Stripe).
The PCI DSS is a standard and not a law. It is enforced through contracts between merchants, acquiring banks and payment brands. Each payment brand can fine acquiring banks for PCI DSS compliance violations and, acquiring banks can withdraw the ability to accept card payments from non-compliant merchants. It’s also important to remember that a PCI DSS breach is always a GDPR breach as cardholder data is classified as personal data under regulation. Enforcement action from your acquiring bank, your organisation could face fines of up to £18 million or 4% of annual global turnover under the GDPR whichever is greater.
Not necessarily. Only the system components which store, process, or transmit cardholder data and/or sensitive authentication data. The PCI DSS specifies 12 requirements that are organised into 6 control objectives.
To ensure personal data is protected, you need to have visibility to where it lives and how it gets there. A comprehensive map of the systems handling such sensitive data is a good starting point. This will very likely require collaboration with security, IT, payments, finance and legal teams. Some organisations may choose to create a dedicated PCI DSS team with a representative of each required team.
In a lot of cases using a service provider like Stripe to handle payments is worthwhile because it eliminates much of the security complexity.
There are multiple ways in which payments are made.
PCI compliance is an ongoing process to ensure your business remains PCI compliant. Having said this, an ongoing collaboration will be required between different departments such as security, IT, payments, finance and legal.
Software es nuestra pasión.
Somos Software Craftspeople. Construimos software bien elaborado para nuestros clientes, ayudamos a los/as desarrolladores/as a mejorar en su oficio a través de la formación, la orientación y la tutoría. Ayudamos a las empresas a mejorar en la distribución de software.