Payment Card Industry Data Security Standard — PCI
Companies that accept, transmit, or store credit card information must be PCI compliant.
PCI Compliance Overview
Payment Card Industry (PCI) security standards are technical and operations requirements set by the Payment Card Industry Security Standards Council to protect cardholder data. These standards govern three main areas: PCI Data Security Standard (DSS), Payment Application Data Security Standard (PA-DSS), and PIN Entry Device Security Requirements (PCI PED).
PCI DSS is the global data security standard that any business of any size must adhere to in order to accept payment cards. These businesses include, but are not limited to, merchants, banks, processors, developers, and point of sale vendors. The minimum for compliance with PCI DSS requires that businesses:
- Ensure secure collection and storage of cardholder data
- Are able to prove compliance through reporting that PCI DSS requirements are being followed and that data protection controls are in place
- Have a system for constant monitoring of access to and usage of data
- Log data with verifiable proof of collection and storage
More detailed information can be found at: https://www.pcisecuritystandards.org/merchants/
PA-DSS applies to software vendors and others who develop secure payment applications that do not store prohibited data such as full magnetic stripe data from the back of a payment card, CVV, or PIN data, and ensure their applications are compliant with PCI DSS. Whether or not PA-DSS compliance is required is determined by the payment brands.
More detailed information can be found at: https://www.pcisecuritystandards.org/minisite/en/docs/pci_pa_dss_v2-0.pdf
PCI PED security requirements are primarily concerned with device characteristics impacting the security of the PIN Entry Device used by the cardholder during a financial transaction. These requirements mainly center around two things: device characteristics and device management.
According to the PCI Security Standards Council, device characteristics are, “those attributes of the PED that define its physical and its logical (functional) characteristics. The physical security characteristics of the device are those attributes that deter a physical attack on the device — for example, the penetration of the device to determine its key(s) or to plant a PIN-disclosing “bug” within it. Logical security characteristics include those functional capabilities that preclude, for example, allowing the device to output a clear-text PIN-encryption key.”
Device management, on the other hand, “considers how the PED is produced, controlled, transported, stored, and used throughout its lifecycle. If the device is not properly managed, unauthorized modifications might be made to its physical or logical security characteristics.”
More information can be found at: https://www.pcisecuritystandards.org/documents/pci_ped_technical_faqs.pdf