Chat with us, powered by LiveChat

PCI DSS

Be compliant and give your customers confidence. Get a quote from Omni today!

What is PCI/DSS?

PCI DSS compliance covers anyone or any business that processes card transactions. These businesses need to put into place the controls required to meet the latest compliance standards, as set out by the PCI Security Standards Council (PCI SSC). This means that your business needs to protect this highly-sensitive data and PCI DSS should be an integral part of your information security strategy. Failure to comply and meet these standards could result in serious damage to the reputation of your brand and you could get a large fine.

What does PCI DSS stand for?

PCI DSS stands for Payment Card Industry Data Security Standards. These standards are designed to ensure that organisations keep adequate cyber defences against attacks that are aimed at stealing cardholder data.

What is PCI DSS?

PCI DSS is a minimum set of organisational and technical requirements. These technical and organisation requirements have been created to help your company safeguard your customers’ cardholder data. In short, you must put adequate fraud protection in place and keep robust payment security. All organisations that process card transactions must have an annual PCI DSS audit of the processes and security controls that have been put in place. You annual PCI DSS audit will look at data security areas such as: • Encryption • Retention • Access management • Physical security • Authentication

Who does PCI DSS apply to?

PCI DSS applies to any business, organisation, or company that accepts, processes, or stores credit card payments and any business that transmits cardholder data (CHD) or sensitive authentication data (SAD). Examples of the types of organisations that PCI DSS applies to includes: • Service providers • Merchants • Acquirers • Processors • Issuers Any business that outsources payment processing to third-party organizations must ensure that all account data is suitably protected by such as third-party. Vulnerabilities that PCI DSS is designed to help companies avoid, can appear anywhere within the card-processing ecosystem. The areas where these vulnerabilities appear include: • Point-of-sale devices (POS) • Internet-connected shopping applications • Personal computers, servers, and mobile devices • Remote access connections • Wireless hotspots/Wi-Fi hotspots • Cardholder data transmissions to service providers • Paper-based storage systems PCI DSS compliance is enforced by the founders of the PCI Security Standards Council. The members of the PCI Security Standards Council include MasterCard, American Express, Visa Inc., Discover Financial Services, and JCB. Any organisation that does not meet the security standards or any organisation that is not working towards achieving these compliance security standards, is liable to get a significant fine. The PCI Security Standards Council has two main objectives: • To help financial institutions and merchants understand security policy standards that protect payment systems against cardholder data theft. • To help vendors understand and implement the necessary standards for creating secure payment solutions.

What does PCI DSS stand for?

What is PCI DSS standard? The latest PCI DSS standard is PCI DSS Version 3.2.1. The standard has six key goals/objectives: • Protect cardholder data • Build and maintain a secure • network and systems • Maintain an information security policy • Implement strong access control measures • Maintain a vulnerability management program • Regularly monitor and test networks There are twelve PCI DSS requirements that further expand and add clarity to these goals, consisting of detective, preventative, and directive controls: 1. Protect stored cardholder data 2. Encrypt cardholder data that is transmitted across open public networks 3. Install, configure, and maintain a firewall to protect cardholder data 4. Don’t use the default vendor-supplied system passwords and security parameters 5. Keep a policy that addresses information security for all personnel 6. Restrict physical access to cardholder data 7. Restrict access to cardholder data using a business need to know approach 8. Identify and authenticate access to system components 9. Develop and maintain secure applications and systems 10. Regularly update anti-virus programs or software and protect all systems against malware 11. Regularly test processes and security systems 12. Monitor and track all access to cardholder data and network resources Below is more detailed information about each of these twelve PCI DSS requirements. Protect stored cardholder data - Sensitive cardholder data shouldn’t be stored unless it is vital for meeting the needs of your business. You should limit the retention time of cardholder data, don’t store authentication information after authorisation, hide the customer’s primary account number (PAN) or only show up to the first six digits and the last four digits, and implement procedures for the protection of keys used for cardholder data encryption. Encrypt cardholder data that is transmitted across open public networks - Cybercriminals can intercept cardholder data that is transmitted over public or open networks. You must use strong security protocols and cryptography to safeguard cardholder information, ensure procedures and security policies are documented, and never send primary account numbers via email, chat, SMS, or by instant messaging. Install, configure, and maintain a firewall to protect cardholder data - Firewalls assess computer traffic that moves in or out of the company’s computer network. Firewalls can be found on devices such as routers and any other device that forms part of the cardholder data environment. For PCI DSS compliance, you must establish, implement, and configure a firewall. The firewall configuration must restrict traffic from untrusted networks, must be installed on any device that connects to the internet outside of the company network, prohibit direct public access between system components and the internet where the components are part of the cardholder data environment, and ensure that operational procedures and security policies are documented and known by all affected parties. Don’t use the default vendor-supplied system passwords and security parameters - Vendor supplied default passwords are the easiest route for hackers to attack and exploit your payment card infrastructure. You should change all vendor-supplied passwords, use strong encryption and cryptography for all components covered by PCI DSS, document operational procedures and security policies, and keep a system component inventory where the components are covered by the PCI DSS standard. Keep a policy that addresses information security for all personnel - A security policy will inform all personnel of their duties related to the security and protection of cardholder data. You should introduce risk assessment processes on an annual basis, publish your security policy, screen employment candidates to protect against internal attacks, and have an incident response plan in place to ensure an immediate response to system breaches. Restrict physical access to cardholder data - Physical access to devices, hard copies, and systems that hold cardholder data should be protected. The protection should prevent unauthorised temporary workers, visitors, and guests from physical access. You should use entry controls at sensitive areas, develop a system that easily identifies visitors from the regular workforce, secure media backups, have strict control over sharing media internally and externally, and you should destroy media as soon as it is no longer required for legal or business needs. Restrict access to cardholder data using a business need to know approach - Access to cardholder data must be granted in a need to know approach. You should limit the access to cardholder data systems to personnel whose roles require access, set access controls to deny all unless specifically granted, and document your policies and procedures. Identify and authenticate access to system components - A unique identification number (ID) should be issued to each member of your workforce that has access to systems and data. You should give each user an individual username, add multi-factor authentication to the cardholder data environment for remote access and non-console administrative access, restrict access to cardholder databases, distribute authentication policies to all users, and you should not use shared or group identification numbers. Develop and maintain secure applications and systems - All critical systems should be updated with the latest security patches to help protect PAN data. You should install vendor-supplied security patches, protect public-facing web applications, and ensure PCI DSS requirements are implemented when significant network or system changes are made. Regularly update anti-virus programs or software and protect all systems against malware - Malware may enter your network via e-mails or other online business activities, so anti-virus software must be installed on all systems that might be affected. You should ensure anti-virus software is running and cannot be disabled by users, ensure anti-virus software is up to date and conduct scheduled scans, and document your procedures and security policies. Regularly test processes and security systems - Regular testing of security systems is vital and particularly so when new software or system changes are implemented. You should run internal and external vulnerability tests, test for the presence of wireless access points, use network intrusion detection, conduct penetration testing, and introduce a change-detection mechanism for files. Monitor and track all access to cardholder data and network resources - Tracking access to cardholder data is essential for uncovering the causes when something goes wrong. You should implement audit trails, use time synchronisation technology for system clocks, protect audit trails so that they cannot be tampered with, retain audit trail data for at least one year, and review security events when suspicious activity is noticed.

Frequently Asked PCI DSS Questions

Service providers and merchants can store cardholder data under PCI DSS. This is subjective to the protection and usage requirements and some acquirers permit sensitive authentication data to be stored, but only prior to payment authorization.

PCI DSS cardholder data includes the cardholder name, primary account number, service code, and expiration date. PCI DSS also covers sensitive authentication data including PINS, PIN blocks, CAV, CVV, CVC, and CID numbers, and full track data, which includes chip and magnetic stripe data.

Service providers are entities that handle the storing, processing, or transmission of cardholder data. Merchants, on the other hand, accept card payments for payment of services or goods, from any of the five PCI Security Standards Council members, which include Discover, JCB International, American Express, MasterCard Worldwide, and Visa Inc.

A PCI DSS assessment/audit assesses all system components that are connected to the business’s cardholder data environment (CDE). The scope of CDE covers all personnel, technology, and processes that transmit, store, or process a customer’s cardholder information and sensitive authentication data. Examples of system components include applications, computing devices, servers, and network devices.

PIN Transaction Security covers the management of devices that are used in the protection of cardholder PINs. Merchants, processors, and financial institutions should only use components and devices that have been tested and approved by the PCI SSC.

How OmniCyber Security can help your business meet PCI DSS compliance

OmniCyber Security is a Qualified Security Assessors certified cybersecurity company. This certification indicates that OmniCyber Security has reached the requirements to perform PCI DSS Assessments, as set out by the PCI Security Standards Council. OmniCyber Security can help you meet PCI DSS compliance by: • Conducting risk assessments • Helping you to understand your obligations • Putting in place robust precautions to safely preserve the integrity of personal and financial data • Conducting penetration testing • Scanning for vulnerabilities • Fixing identified vulnerabilities • Conducting endpoint monitoring • Managing your cyber incident response

Would you like to learn more?

Drop us a line to find out more about how OmniCyber Security can help your company remain secure.