PCI DSS: Securing Card Holder Data

The protection of financial data has become more critical for organizations. As societies embrace cashless transactions and businesses undergo digital transformation, the cyber threat landscape continues to expand, presenting increased risk to both individuals and organizations. The Payment Card Industry Data Security Standard (PCI DSS) was created to safeguard sensitive cardholder data. This and other cybersecurity standards and frameworks help secure critical data.

Melissa Parsons
Technical Writer
PCI DSS - C-Risk

What is PCI DSS v.4.0?

The Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive set of security requirements designed to ensure that companies handling credit card information maintain a secure environment. The Payment Card Industry Security Standards Council, a global forum that developed the PCI DSS standard, was founded in 2006 by major credit card companies including American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc. PCI DSS applies to any entity that processes, stores, or transmits cardholder data, regardless of its size or transaction volume.

At its core, PCI DSS outlines technical and operational requirements to protect sensitive financial information. These include network security measures, cardholder data protection protocols, vulnerability management practices, access control measures, continuous network monitoring and testing, and the implementation of robust information security policies. Managed by the PCI Security Standards Council, the standard is not a one-time compliance checkbox but a continuous process of assessment, remediation, and reporting. While not legally mandated, PCI DSS compliance is often mandated through contracts between merchants and payment processors or banks, serving as a critical defense against credit card fraud and data breaches in our increasingly digital world.

 

PCI DSS Requirements

The PCI DSS standard documentation provides a high-level overview of requirements that organizations should adopt to secure account data. It is divided into 12 high-level requirements.

According to the standard, this is the minimum set of requirements for card processors. Additional controls and risk reduction methods will be required depending on geographies or other regulatory and legal requirements.

 

PCI DSS 12 Requirements

The Payment Card Industry Data Security Standard outlines 12 requirements that organizations must meet to ensure compliance and the security of cardholder data. These requirements form the framework of the standard with the goal of protecting sensitive financial information.

  1. Install and maintain network security controls
  2. Apply secure configurations to all system components
  3. Protect stored account data
  4. Protect card holder data with strong cryptography during transmission over open, public networks
  5. Protect all systems and networks from malicious software
  6. Develop and maintain secure systems and software
  7. Restrict access to system components and cardholder data by business need to know
  8. Identify users and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Log and monitor all access to system components and cardholder data
  11. Test security of systems and networks regularly
  12. Support information security with organizational policies and programs
PCI DSS 12 Requirements

PCI DSS Scope

Compliance with PCI DSS is mandatory for entities that store, process, or transmit cardholder data and/or sensitive authentication data or could impact the security of the cardholder data environment. This includes merchants, processors, acquirers, issuers, and other service providers. Any entity that processes, stores or transmits cardholder data can fall within the scope, regardless of their size or the number of transactions they process.

In the Guidance for PCI DSS Scoping and Network Segmentation documentation published by PCI Security Standards Council, organizations can gain a clearer understanding of scoping and segmentation for PCI DSS compliance. According to the PCI Security Standards Council, before determining what is in or out of scope, best practice is to start with the assumption that everything is in scope.

 

Consequences for non-compliance

Non-compliance with the Payment Card Industry Data Security Standard can have severe consequences, especially in the event of a cyber attack. Organizations that fail to meet these standards can face a range of penalties as well as experience long-term impacts that can significantly affect operations and viability.

Some of the immediate consequences for non-compliance include:

  • Operational disruptions
  • Financial penalties
  • Increased transaction fees
  • Lawsuits 

The long-term consequences for non-compliance include:

  • Reputational damage with financial institutions and customers
  • Long-term financial impact
  • Increased regulatory scrutiny 
Consequences for non-compliance