What is PCI DSS? Payment Card Industry Data Security Standard explained

June 12, 2024 • Resource
Posted by
Smita Mylavarapu
Share this article

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements that protect data in card-based electronic transactions, guarding against fraud.

    What is PCI DSS?

    The Payment Card Industry Data Security Standard (PCI DSS) is an international security standard that applies to payment systems, to protect the data involved in card-based and related electronic transactions. Considering the transition to a cashless society, the huge number of transactions each day involving card payment data is a juicy honeypot for would-be criminals looking to steal funds. The PCI DSS, created by Visa, MasterCard, JCB, American Express, and Discover, seeks to keep data safe and secure, out of the hands of these thieves.

    All organisations that store, process, or transmit payment account data must comply with the standard or face fines and sanctions. Entities operating as a Point of Sale, Marchant, Service Provider, or Acquirer will need to take note of their obligations. The current version of the standard is PCI DSS v4.0. Companies requiring PCI DSS services, Tesserent can help.

    What are the 6 principles of PCI DSS?

    There are six main goals of the PCI DSS are to:

    1. Build and Maintain a Secure Network and Systems (Req. 1 & 2)

    2. Protect Account Data (Req. 3 & 4)

    3. Maintain a Vulnerability Management Program (Req

    4. Control Measures

    5. Regularly Monitor and Test Networks

    6. Maintain an Information Security Policy

    What are the 12 requirements of PCI DSS?

    The 12 requirements of the PCI DSS must be followed to ensure transactions are as secure as possible and comply with the standard:

    1. Install and maintain network security controls

    2. Apply secure configurations to all system components

    3. Protect stored account data

    4. Protect cardholder data with strong cryptography during transmission over open, public networks

    5. Protect all systems and networks from malicious software

    6. Develop and maintain secure systems and software

    7. Restrict access to system components and cardholder data by business need to know

    8. Identify users and authenticate access to system components

    9. Restrict physical access to cardholder data

    10. Log and monitor all access to system components and cardholder data

    11. Test security of systems and networks regularly

    12. Support information security with organizational policies and programs

      What is PCI Compliance?

      A PCI compliance is achieved either by a Self-Assessment Questionnaire, or a PCI DSS assessment by a Qualified Security Assessor (QSA) that results in a Report on Compliance, depending on the compliance level of the organisation. A PCI DSS audit is designed to assess adherence to the technical and administrative controls within the standard, which can then be used in remediation efforts, alongside mandatory reporting.

      PCI DSS compliance levels

      Merchants are classified at four different levels of compliance, depending on how many transactions are conducted in a year. Each level’s criteria may vary slightly depending on the provider (e.g. Visa, MasterCard).

      • Level 1: Merchants with over six millions transactions and meets the provider’s criteria.

      • Level 2: Merchants with between one and six million transactions and meeting the criteria.

      • Level 3: Merchants with between 20,000 and one million transactions and meeting the criteria.

      • Level 4: Other merchants.

      Service providers are classified at two different levels of compliance.

      • Level 1: All service providers and those with over 300,000 transactions.

      • Level 2: All Terminal Servicers, plus AML/Sanctions Service Providers, Data Storage Entities, and Payment Facilitators with 300,000 annual transactions at Level 2.

      PCI DSS benefits

      • Provide assurance to customers

      • Reduce organisational risk

      • Reduce the risk of data breaches

      • Stamp out fraud

      • Protecting cardholder data

      • Avoid fines and sanctions

      • Supports legal and regulatory compliance requirements

      PCI DSS challenges

      • Identifying and defining the PCI DSS scope for organisations

      • Meeting the complex compliance rules of the PCI DSS

      • Inadequate control implementation

      • Changing internal systems and data handling mechanisms

      • Updating from an earlier PCI DSS version to version 4

      • Completing self-assessments correctly

      • Ensuring Third-party PCI compliance

      PCI DSS compliance best practices

      The PCI Security Standards Council has published Best Practices for Maintaining PCI DSS Compliance. Some of these best practices include:

      • Develop and maintain a sustainable compliance program

      • Develop program, policy, and procedures

      • Define performance metrics to measure success

      • Assign ownership for coordinating security activities

      • Continuously monitor controls

      • Maintain Security Awareness

      • Monitoring compliance of third-party service providers

      Written by Smita Mylavarapu

      Contact us

      Speak with a Tesserent
      Security Specialist

      Tesserent is a full-service cybersecurity and secure cloud services provider, partnering with clients from all industries and all levels of government. Let’s talk.

      Let's Talk
      Tess head 4 min

      Related Resources

      Resource
      What is Operational Technology Security? OT security explained
      What is Operational Technology Security? OT security explained
      Resource
      What is cyber threat intelligence?
      What is cyber threat intelligence?
      Resource
      What is application security testing? AST explained
      What is application security testing? AST explained
      Resource
      What is a security operations centre (SOC)?
      What is a security operations centre (SOC)?