What is it?
A prescriptive information security standard designed to protect the confidentiality of credit and debit card data.
Why is it important?
All organizations that store, process, or transmit payment card data typically have a contractual requirement to comply with PCI DSS. Some countries and US states also mandate PCI DSS compliance by law(PCI-DSS standard).
Why does a business professional need to know this?
Organizations that store, process, or transmit credit or debit card data must balance PCI DSS requirements with their own cybersecurity assessment -- in some cases, they may chose to outsource or segment their processing and apply PCI DSS to only a sub-set of their systems. Such organizations have two aims: to be secure and to comply with PCI DSS. An unhealthy balance between these two can lead to a compliance first
culture, jeopardizing the organization’s cybersecurity.
PCI DSS is a prescriptive security standard consisting of twelve major security requirements (e.g. install and maintain a firewall configuration to protect cardholder data) broken down into around 280 sub-requirements. The requirements apply to all systems, processes, and people that store, process, or transmit cardholder data (known as the cardholder data environment or CDE) and all systems connected to the CDE.
Merchants that accept payment cards must formally validate their PCI DSS compliance to their acquiring merchant bank annually by undergoing an external audit or by completing a self-assessment. Service providers to merchants and financial institutions also must validate their compliance annually(Visa PCI-DSS)(Mastercard PCI-DSS).
Organizations subject to PCI DSS typically segment their networks and systems into those parts that have to comply with PCI DSS and those that do not. Some organizations outsource operations that require PCI DSS compliance to vendors such as PayPal. The reason for this is that PCI DSS has much more stringent cybersecurity requirements than are necessary for systems that do not handle such sensitive data. Reducing the number of systems that must comply with PCI DSS also allows organizations to focus their compliance efforts on a smaller number of systems.
Organizations that suffer a breach in confidentiality of payment card data will receive safe harbor from card scheme financial penalties if the organization was PCI DSS compliant at the time of the breach.
References
- (PCI-DSS standard) Payment Card Industry Security Standards Council: PCI Security Standards Council main website.
- (Visa PCI-DSS) Visa guidance on PCI DSS: Visa. Website with information on PCI DSS for merchants who want to work with Visa.
- (Mastercard PCI-DSS) Mastercard guidance on PCI DSS: Mastercard. Website with information on PCI DSS for merchants who want to work with Mastercard.
About John Elliott
John Elliott helps organizations balance risk and regulation with business needs. He is a specialist in payments (John contributed to the development of many PCI standards, including PCI DSS), privacy, and cybersecurity. A passionate and innovative communicator, he presents frequently at conferences, online, and in boardrooms.
John is a chartered fellow of the British Computer Society (BCS), holds professional certifications in risk, privacy and security, and is a Pluralsight Author.
Term: Payment Card Industry Data Security Standard (PCI DSS)
Website: withoutfire.com
Twitter: @withoutfire
LinkedIn: uk.linkedin.com/in/withoutfire