- The PCI DSS, or Payment Card Industry Data Security Standard is a prescriptive baseline of security controls designed to protect data.
- The PCI DSS is designed to apply to all entities that take part in the processing of payment cards.
While both statements appear to be straightforward, it’s important to delve a bit deeper.
The PCI Data Security Standard was designed as prescriptive standard document.
In other words, the PCI DSS are rules. Each of the twelve requirements, and each testing procedure, are obligatory. The prescriptive nature of the PCI DSS is enforced or supported by multiple institutions in the card processing ecosystem:
- The Payment Card Brands (Visa, MasterCard, American Express, JCB, and others.)
- The PCI Security Standards Council
- Acquiring banks
- Service providers, payment processors, suppliers, etc.
- Other entities that store, process or transmit account data
The PCI Data Security Standard is a baseline of security controls.
It is a consistent list of security requirements that are standardized to be a starting point for organizations to implement. Followers of ISO governance may be familiar with the term baseline. As an example, ISO 27001 for Information Security Management, indicates that an organizations baseline is the minimum set of security controls required for the business to operate. When we ask “What is the PCI DSS” we should keep in mind it is a required list of the bare minimum controls for organizations to follow when they process cardholder data.
The PCI DSS is categorized by six objectives that are comprised of twelve requirements.
- Build and Maintain a Secure Network and Systems
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Maintain a Vulnerability Management Program
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Implement Strong Access Control Measures
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain an Information Security Policy
- Maintain a policy that addresses information security for all personnel
The PCI DSS is designed to protect data, specifically, account data.
While there are many elements of account data, they can be categorized into two types: Cardholder Data and Sensitive Authentication Data.
Cardholder Data are specific elements of account data that can be stored by organizations. Sensitive Authentication Data are additional elements that cannot be stored, except under specific circumstances. In many situations, organizations may be processing Sensitive Authentication Data, but they are not storing those elements. For example, ecommerce merchants generally receive card security codes and transmit those codes to their processor during authorization. However, they are prohibited from storing card security codes by the PCI DSS as well as the individual card brand security programs.
Putting It All Together
The PCI DSS is a starting point of prescriptive requirements that all entities involved in payment processing must address. While implementing the controls reduces the risk to organizations, and risk to the payment card details, the PCI DSS is not a risk management framework. The requirements and testing procedures are obligatory for compliance with the Data Security Standard.
The PCI DSS also applies to all organizations that store, process, or transmit cardholder data or sensitive authentication data. An organization can fall under the scope of the PCI DSS even if they do not have a typical relationship with the card brands, acquiring banks or traditional service provider relationships. For example, an organization that performs fraud detection for a merchant or service provider and receives cardholder data for these purposes may not have an acquiring bank or traditional reporting structure for compliance. However, the PCI Data Security Standard clearly identifies that the PCI DSS applies to all entities that otherwise store, process, or transmit cardholder or sensitive authentication data.
The PCI DSS is a large, but not exhaustive list of required security controls. Organizations must address these requirements, identify any that are not applicable, and then implement compliant controls for those which apply to the environment. Not all controls may apply to every organization based on their payment channels and other factors. While the PCI DSS is prescriptive, not all controls will apply in all situations. But if the control does apply to the organization, it must be implemented in a compliant manner.
The PCI DSS is the baseline that all entities who store, process, or transmit cardholder data or sensitive authentication data must comply with. While these are the minimum controls, organizations are encouraged to implement additional controls and best practices to further reduce risk to their account data.
Jason Likert is a Managing Consultant at SecureTrust, where Jason leads a team of information security professionals and oversees the execution of security audits, PCI compliance assessment, and other professional services engagements. Jason has been involved in the payment ecosystem as a consultant, auditor and assessor since 2005.
Prior to SecureTrust, he served eight years in the US Air Force and was Director of IT and large e-commerce and healthcare organizations. Jason holds the QSA, Certified ISO 27001 Lead Implementer and Certified ISO 27001 Lead Auditor certifications.