What is PCI – Payment Card Industry (PCI) Data Security Standard (DSS)?
PCI DSS originally began as five different programs: Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program. Each company’s intentions were roughly similar: to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process or transmit cardholder data. The Payment Card Industry Security Standards Council (PCI SSC) was formed, and on 15 December 2004, these companies aligned their individual policies and released the Payment Card Industry Data Security
Standard (PCI DSS). With examples of high profile security breaches increasingly common in the media, complying with the PCI standards has never been more important for companies wishing to take payments over the phone.
PCI compliance firms up your corporate security and gives your customers added peace of mind when divulging their private card details.
Companies often think PCI is all about building security wall around vulnerable corporate areas such as databases and networks; this is not the case. Real PCI compliance means changing the culture of a company and building in security at every level and with every member of staff. A secure PCI environment is as secure on the inside as it is on the outside.
The current version of the standard is version 2.0, released on 26 October 2010. PCI DSS version 2.0 had to be adopted by all organizations with payment card data from 1 January 2011, and from 1 January 2012 all assessments must be against version 2.0 of the standard. PCI DSS version 2.0 has two new or evolving requirements out of 132 changes. The remaining changes and enhancements fall under the categories of clarification or additional guidelines. The table below summarizes the differing points from version 1.2 of 1 October 2008 and specifies the 12 requirements for compliance, organized into six logically-related groups, which are called “control objectives”.
Although there are 12 current DSS controls, there are actually around 2,000 individual requirements in the form of a checklist for a solution to meet.
The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. Initially created by aligning Visa’s Account Information Security (AIS)/Cardholder Information Security (CISP) programs with MasterCard’s Site Data Protection (SDP) program, the standard provides an actionable framework for developing a robust account data security process – including preventing, detecting and reacting to security incidents. The updated version, version 1.1, developed by the founding members of the PCI Security Standards Council, became effective with the launch of the PCI Security Standards Council.