The PCI DSS is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding members of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International, who are all very well-known brands in payment cards industry. The purpose was to help facilitate the broad adoption of consistent data security measures on a global basis.
The PCI DSS is a multifaceted security standard that specifies requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.
It is mandatory for any entity that stores, process and/ or transmits cardholders’ data, to comply with PCI DSS. Entities may be Merchants, Acquirers, Service Providers, and Trusted Third Parties. The standard applies to all payment channels including physical card presence, mail or telephone order, and e-commerce.
PCI DSS Requirements — Overview
PCI — DSS specifies the goals which must be achieved to comply with the standard. Mentioned below are the six goals.
- Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain an Information Security Policy
- Maintain a policy that addresses information security
intiGrow’s approach towards the implementation of PCI — DSS is based on its experience with implementation of different information security standards, frameworks and best practices.
The approach is broken down into four broad phases:
Phase I — Determination of Scope in terms of the organizational boundaries, network segment, physical boundaries.
Phase II — Performing a gap analysis to determine the existing controls against the requirements. Based on the gaps identified, recommendations will be made for improvements, changes that are essential to comply with the requirements.
Phase III — Implementation of the controls based on the gaps identified above. This is achieved through the definition of policies and documentation of procedures on one hand and the actual implementation of technical controls on the other.
Phase IV — Internal Audit is the process of reviewing the implementation of the framework and all its components as specified in the standard.
Phase V — Certification. Face the certification audit and achieve the certification based on a successful audit result.