Payment Card Industry Data Security Standard (PCI DSS)

    Standards and Frameworks

    Payment Card Industry Data Security Standard (PCI DSS)

    The Payment Card Industry Data Security Standard (PCI DSS) provides a set of security standards to ensure that companies  processing credit card information have established proper security controls.

    Last Updated: July 30, 2019


  • General

    PCI DSS is one of the six PCI Security Standards published by the PCI Council. The PCI Security Standards aim to cover every aspect of the payment card industry including the manufacture of PIN entry devices, payment application software development, as well as the secure environment when payment card services are provided.

    The PCI Security Standards are provided by the the Payment Card Industry Security Standards Council (PCI SSC). The PCI Council is an independent body created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB International) in 2006. The founding members of the PCI Council are responsible for enforcing compliance of PCI Security Standards, while the PCI Council manages those Standards.

    The PCI DSS applies globally to any organization that store, process or transmit cardholder data, regardless of the organization’s size or number of transactions.

    There are three general aspects for PCI DSS compliance:

    • Assess — identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data
    • Remediate — fixing vulnerabilities and not storing cardholder data unless you need it
    • Report — compiling and submitting required remediation validation records (if applicable), and submitting compliance reports to the acquiring bank and card brands you do business with

    The PCI Council provides a Quick Reference Guide to help organizations understand the PCI DSS and apply the Standard in their own payment card transaction environment.

    The Quick Reference Guide provides six goals for the PCI DSS accompanied with the requirements to realize those goals.

    • Build and Maintain a Secure Network
      • 1. Install and maintain a firewall configuration to protect cardholder data
      • 2. Do not use vendor-supplied defaults for system passwords and other security parameters
    • Protect Cardholder Data
      • 3. Protect stored cardholder data
      • 4. Encrypt transmission of cardholder data across open, public networks
    • Maintain Vulnerability Management Program
      • 5. Protect all systems against malware and regularly update antivirus software or programs
      • 6. Develop and maintain secure systems and applications
    • Implement Strong Access Control Measures
      • 7. Restrict access to cardholder data by business need to know
      • 8. Identify and authenticate access to system components
      • 9. Restrict physical access to cardholder data
    • Regularly Monitor and Test Networks
      • 10. Track and monitor all access to network resources and cardholder data
      • 11. Regularly test security systems and processes
    • Maintain an Information Security Policy
      • 12. Maintain a policy that addresses information security for all personnel

     

Want to learn more? Login to the full DataGuidance platform.

About OneTrust


OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.