Payment Card Industry Data Security Standard (PCI DSS) sets the requirements for organisations and merchants to safely and securely accept, store, process, and transmit cardholder data during credit card transactions to prevent fraud and data breaches. If your business carries out transactions with customers and suppliers that use payment cards, then compliance with PCI DSS is critical.
PCI DSS was established through collaboration between major card brands including American Express, Discover, JCB, Mastercard and Visa. Transaction processes are monitored by the Payment Card Industry Security Standards Council (PCI SSC).
It is incumbent on organisations that accept card payments to either follow the obligations set out in the PCI DSS or otherwise ensure they are processing payments through a compliant partner.
The primary goals of PCI DSS
The PCI DSS regime contains 12 requirements across 6 primary data security goals to be considered in relation to the building and operation of Card Data Environments (CDEs). These include the following:
Build and Maintain a Secure Network and Systems (Req. 1 & 2),
Protect Cardholder Data (Req. 3 & 4),
Maintain a Vulnerability Management Program (Req. 5 & 6),
Implement Strong Access Control Measures (Req. 7, 8 & 9),
Regularly Monitor and Test Networks (Req. 10 & 11),
Maintain an Information Security Policy (Req. 12).
What are the PCI DSS assessments?
PCI DSS has a number of different types of assessments dependent upon the use, management and operation of the CDE, some of which can be performed as Self Assessments, and others that require a formal Report on Compliance (RoC) performed by a Qualified Security Assessor (QSA). Merchants are rated on the number of transactions performed among other criteria. Tesserent’s team of QSAs provide cybersecurity advisory. We work with our clients to determine the appropriate requirements based on the CDE, transaction-level and other criteria.