PCI DSS - morgan-hanrahan/Tech-Journal GitHub Wiki

History and Background

  • VISA Cardholder Information Security Program (CISP)
  • Mastercard, American Express, and Discover followed suit with their own compliance programs, which caused confusion among retailers.
  • American Express, Discover Financial Services, JCB International, Mastercard and Visa created Payment Card Industry Data Security Standard or PCI-DSS on December 15th, 2004
  • Intentions were to provide an additional level of security with merchants for cardholder information
  • PCI-DSS not required by national law but some states have made compliance mandatory

General Description

The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud.

Who must comply

  • PCI is a business wide regulation that applies to all forms of business that handle sales. This has been used with POS and become part of its standard which is one of the most commonly used forms of sales
  • Those who must be compliant with PCI: Businesses, Sales of any kind, POS sites, and any machine that processes credits from companies like AMEX, VISA, Mastercard, etc.

Specific controls/requirements

  • The controls required to be PCI compliant
  1. Must protect all the information related to card data
  2. You are responsible to repay banks for fraudulent charges related to breaches
  3. Must protect against all forms of attacks on these systems
  4. You must pay for forensic investigations if a breach occurs
  5. There are more levels based on the amount of transactions as you can see here

Enforcements

  • PCI DSS is not a law
  • It is mostly written in a contract between the vendor and card company
  • Some states may require portions of PCI DSS Penalties
    • $5,000 to $100,000 per month of non-compliance
    • Forensic investigations

Difficulty for Organizations to comply

  • PCI DSS is moderately hard to implement
    • Track and monitor all access to network resources and cardholder data
    • Regularly test security systems and processes

Benefits

  • Good standard for security that is actually useful to follow
  • It lowers the risk of breaches and attacks
  • Good guideline for smaller companies or companies just starting out
  • Boosts confidence in payment card companies that use it

Drawbacks

  • Complicated to implement and a lot of work
  • Documentation is very technical and requires professionals to implement
  • To be compliant you must meet all requirements making the certification ruthless to obtain
  • Compliance is required if a business deal with payment card information, if you do not get certified you will be fined until you are compliant