If you do not see your question answered under one of the subcategories, please use the form below to submit your question.
The PCI Security Standards Council’s Role and Authority
What is the PCI Security Standards Council?
The Payment Card Industry Security Standards Council was created by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International with to improve payment account security standards and practices. The PCI Security Standards Council maintains the PCI Data Security Standard (PCI DSS) which must be adopted and implemented by all businesses that store, process and/or transmit credit/debit card data.
How does the PCI Security Standards Council make payment card data more secure?
Security of payment card data is the responsibility of every business that participates in payment processing.
Single industry-level security standards supported by the members of the PCI Security Standards Council eliminate confusing, competing, and overlapping brand-specific requirements to simplify compliance for businesses that store payment card data.
If I am deemed compliant with the PCI DSS today by one of the payment card brands, will the other brands in the PCI Security Standards Council recognize this designation of compliance and if so, what information must be put forth to achieve such recognition?
Since the individual payment brands are responsible for their own PCI DSS compliance programs, organizations should follow each brand’s specific compliance processes and procedures. Satisfying the requirements of one member of the PCI SSC should not be construed as compliance that will satisfy all other member payment card brands.
How frequently will the PCI Security Standards Council update the PCI DSS and PA-DSS?
To minimize changes to the standards, the PCI Security Standards Council (PCI SSC) has established a lifecycle approach for PCI DSS and PA-DSS, where version changes to the standards will occur every 3 years. The 3-year standards lifecycle also allows for changes “out-of-cycle” as needed to address critical issues. To ensure that organizations have time to achieve compliance with new versions of the standards, certain new requirements may be phased in with future effective dates.
Are there any plans for PCI SSC to be a single point of contact for a merchant, financial institute or processor to send a PCI DSS compliance report to in the future?”
Because PCI SSC does not have a contractual relationship with merchants, financial institutes, processors, etc., PCI SSC cannot be the central repository for this information. The Council’s focus is to define effective payment-related security standards, as well as to educate and provide resources to the marketplace to drive awareness and adoption of these standards. The payment brands define and manage the compliance programs for these security standards, and entities will continue to send their compliance validation documentation to the payment brands, financial institutions (such as acquirers or merchant banks), or other agents as applicable for each payment card brand compliance program.
Do QSAs and ASVs need to send reports of compliance (ROCs) or scanning results to the PCI Security Standards Council directly?
No. QSAs and ASVs do not send reports of compliance or scanning results to the PCI Security Standards Council. They should continue to follow the payment brand specific procedures.
In case of a suspected breach, should the PCI Security Standards Council be contacted directly?
No. In the event of a suspected account security breach, the business entity should follow existing, brand-specific processes and procedures for notifying the affected payment brand(s) and law enforcement officials.
Will the PCI Security Standards Council provide information on breaches, the status of investigations, or PCI DSS compliance status?
The PCI Security Standards Council does not provide information on the status of breach investigations or PCI DSS compliance efforts. The PCI Security Standards Council receives guidance from the payment brands, the PFI community, and advisory groups regarding emerging threats and forensics trends. However, the PCI Security Standards Council does not a participate in forensics investigations or compliance reporting and does not receive information on specific forensic investigation cases or a specific organizations’ PCI DSS compliance status.
Will the PCI Security Standards Council be involved in performing forensics investigations as a result of an account data compromise event?
The PCI Security Standards Council will not conduct forensics investigations either directly or through a third party in the event of an account compromise.
Will the PCI Security Standards Council approve my organization’s implementation of compensating controls in my effort to comply with the PCI DSS?
The PCI Security Standards Council (PCI SSC) is not able to approve specific configurations or compensating controls since they are not onsite doing the assessment and are therefore not able to understand and review the total security environment.
Each individual approved as a Qualified Security Assessor (QSA) is trained by the PCI SSC regarding the underlying intent of PCI DSS requirements and the evaluation of compensating controls. QSAs are responsible for determining whether a compensating control is sufficient to meet the intent of a requirement during their review of all other controls in place to satisfy PCI DSS requirements. We recommend that you contact a QSA to review your environment and assist in evaluating any compensating controls you may have in place for meeting the intent of PCI DSS requirements.
The Purpose of the PCI Data Security Standard
What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. This standard (also referred to simply as “PCI”) outlines a set of security practices that help ensure the safe handling of payment card data. Created by the five major card companies (American Express, Discover JCB, MasterCard and Visa) that make up the Payment Card Industry Security Council, this standard includes 12 distinct requirements that are designed to:
- Build and maintain a secure network
- Protect (cardholder) data in transit or at rest
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test your IT infrastructure
- Maintain an information security policy.
Who must comply with the PCI DSS?
Any entity (merchant or service provider) that stores, processes, and/or transmits cardholder data must be PCI DSS compliant – regardless the size of the entity and volume of transactions made. However, PCI DSS requirements do not only apply to electronic data. Businesses are expected to dispose of printed material which contains payment card details and credit cardholder data in an appropriate way. In large environments where waste management is outsourced to subcontractors such as paper-shred companies, the entities that request such services must make sure that their “service providers” are PCI DSS compliant as well.
Definitions Important to Understanding PCI DSS
What are payment cards?
The PCI DSS defines “payment cards” as all credit/debit/cash cards that are issued with any American Express, Discover, JCB, MasterCard or Visa branding.
What is payment card data?” style=”fancy” icon=”chevron”]Payment card data is information pertaining to credit/debit cards and their owner. This data is classified in 2 categories “Cardholder Data” and “Sensitive Authentication Data.” PCI DSS imposes some storage restrictions on data elements making part of these categories.
What is cardholder data?
Cardholder data refers to all information from a credit card or debit card that is used in a transaction. Cardholder data can include the Primary Account Number (PAN), Cardholder Name and Expiration Date displayed on the front of the card, etc. Cardholder data is digitally stored on the magnetic stripe at the back of the card.
What is sensitive authentication data?
Sensitive Authentication Data is security related information used to authenticate the cardholder’s identity and authorize card transactions. Sensitive Authentication Data elements include Magnetic Stripe data and the Card Validation Code – the three or four digit number security code found either on the front or on the back of a card (a.k.a. CVV, CVV2).
What is the definition of merchant?
PCI DSS defines a “merchant” as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover,
JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.
What is a self-assessment questionnaire?” style=”fancy” icon=”chevron”]A self-assessment questionnaire (SAQ) is a reporting requirement of PCI DSS compliance for merchants and service providers. It can be completed in-
house without contracting with a 3rd party. Businesses must complete this security-related questionnaire that examines the current and past state of network security.
What is the definition of “remote access
PCI DSS requirement 8.3 is intended to apply to users that have remote access to the network, where that remote access could lead to access to the
cardholder data environment. In this context, remote access refers to network-level access originating from outside the company’s own network, either from the Internet or from an “untrusted” network or system such as an employee accessing the corporate network using his/her mobile computer. Internal company LAN-to-LAN access (e.g. between two offices via VPN) is not considered remote access for the purposes of this environment.
If the corporate network has appropriate segmentation such that remote users cannot access the cardholder data environment, two-factor authentication during remote access to the corporate network is not required by PCI DSS. However, two-factor authentication is required for any remote access to the cardholder data environment, and is recommended for remote access to the corporate network.
What is a payment gateway?
Payment Gateways connect a merchant to the bank or processor that is acting as the front-end connection to the Card Brands. They are called gateways because they take many inputs from a variety of different applications and route those inputs to the appropriate bank or processor. Gateways communicate with the bank or processor using dial-up connections, Web-based connections or privately held leased lines.
How is IP-based POS environment defined?
The point of sale (POS) environment refers to a transaction that takes place at a merchant location (i.e. retail store, restaurant, hotel, gas station, convenience store, etc.). An Internet protocol (IP)-based POS is when transactions are stored, processed, or transmitted on IP-based systems or systems communicating via TCP/IP.
Benefits of Compliance/Consequences of Non-Compliance with PCI DSS
[_spoiler title=”What happens if I am not compliant?” style=”fancy” icon=”chevron”]Non-compliant businesses may face fines up to $500,000 plus expensive litigation costs. From an operational point of view, level 2, 3 or 4 merchants and
service providers that experience a network security breach can have their level escalated to level 1. Scrutiny, requirements, and compliance costs are higher at level 1. Non-compliance also impacts brand reputation and exposes
corporations to negative publicity that undermines consumer confidence.[_/spoiler] [_spoiler title=”What are the benefits of implementing PCI DSS?” style=”fancy” icon=”chevron”]PCI DSS is a binding collection of rules designed to promote sound IT security processes. The goal of PCI DSS is to reduce financial fraud
through heightened network security capabilities. There are many benefits of PCI DSS compliance. The most fundamental benefits include:
- Protection of customers’ personal data
- Increased customer confidence through a higher level of data security
- Increased protection against financial losses and remediation costs that arise from security breaches
- Maintain customer trust, and safeguard reputation
- Benchmark and assess the security mechanisms of systems that store, process and/or transmit payment cardholder data
security breaches are defined by each of the payment card brands. For more specific information, please contact the individual payment card brands.[_/spoiler] [_spoiler title=”If my business was deemed compliant but my system was still breached and payment account data compromised, what liability would my business incur?” style=”fancy” icon=”chevron”]The PCI Security Standards Council is not
responsible for levying any financial or operational consequences on businesses that have either been breached or are suspected of an account data compromise. These businesses should contact the individual payment brands regarding next
steps such as contacting law enforcement, obtaining forensic or other relevant information, and potential consequences should a breach be found to have occurred.[_/spoiler] [_spoiler title=”What are the consequences to my business if I do not comply with the PCI DSS?” style=”fancy” icon=”chevron”]The PCI Security Standards Council encourages all businesses that store payment account data to comply with the
PCI DSS to help minimize risk to their brand and potential financial consequences associated with account payment data compromises. The PCI Security Standards Council does not manage compliance programs and does not impose any fines or
penalties for non-compliance. Individual payment brands, however, may have their own compliance initiatives including financial or operational consequences to certain businesses that are not compliant.[_/spoiler] [_spoiler title=”What if a merchant refuses to cooperate?” style=”fancy” icon=”chevron”]PCI is not, in itself, a law. The standard was created by the major card brands such as Visa, MasterCard, Discover, AMEX, and JCB. At their acquirers
discretion, merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach event occur. [_/spoiler][/spoiler]
Share your question below and Loricca’s IT Security and Compliance experts will be happy to answer it. You can also email firstname.lastname@example.org your question. We will do our best to have the answer for you within one business day.