The PCI Security Standards Council is an open global forum for the ongoing development, improvement, storage, dissemination, and enforcement of security standards for account data protection. This committee is made up of the most important card companies (both credit and debit) and has drawn up the Data Security Standard for the Payment Card Industry (Payment Card Yoindustry Dbind yessecurity yesstandard) or PCI DSS.
The PCI DSS standard It is fundamentally based on a guide that helps companies that process, store and/or transmit cardholder data (or cardholders), to secure said data, in order to avoid fraud involving debit and credit payment cards.
And it is that the companies that process, store or transmit card data must comply with the standard or they run serious risk of losing their permissions to process the cards and face rigorous audits or fine payments. Those responsible for this type of service for all types of cards are obliged to validate their compliance periodically, through authorized auditors. Only companies that carry out less than 80,000 annual transactions are authorized to carry out a self-assessment, through the questionnaire provided by the PCI consortium (PCI SSC).
Three fundamental aspects
PCI regulations establish a basic level of protection for consumers and help reduce fraud and data breaches within the entire payment ecosystem. It applies to any organization that accepts or processes payment cards.
PCI compliance involves three important aspects:
- handle the data reception of consumer credit cards, that is, collecting and transmitting sensitive card data in a secure manner.
- Store data securelyas described in the 12 security domains of the PCI standard, for example, through encryption, continuous surveillance and verification of the security of access to card data.
- Validate annually that the necessary security controls are in place, which may involve forms, questionnaires, external vulnerability scanning services, and third-party audits.
Management of card data
Some business models require the direct handling of sensitive data of credit cards when accepting payments, while others do not. Businesses that do need to handle data (e.g., because they accept primary account numbers without a token on a checkout page) may be required to comply with each of the 300+ security controls stipulated in PCI regulations. Even if the card data passes through its server briefly, the company must buy, install and maintain security software and hardware, according to the Stripe company.
If a business doesn’t need to handle sensitive credit card data, it shouldn’t. There are third-party solutions that accept and store data securely, thus avoiding all the hassle, cost and risk. Because card data never makes contact with their servers, these companies only need to confirm 22 security checks, most of which are very simple, such as using a strong password.
Secure data storage
If an organization handles or stores credit card data, it must define the cardholder data environment scope (CDE). The PCI regulation defines the CDE as the people, processes and technologies used to store, process or transmit credit card data, or any system related to this.
Since all the security requirements of the PCI regulation, which are more than 300, apply to the CDE, it is important to properly segment the payment environment from the rest of the company to limit the scope of the validation according to this regulation. If an organization cannot contain the scope of the CDE with fine-grained segmentation, PCI-compliant security controls must be applied to every system, laptop, or device on its corporate network.
Regardless of how card data is accepted, organizations must complete a PCI-compliant validation form every year. How PCI compliance is validated depends on several factors, which are described below. Here are three cases in which could ask an organization to demonstrate that it is PCI compliant:
- Payment processors may request this as part of their mandatory payment card brand notification process.
- Business partners can request it as a prerequisite to signing a business agreement.
- For companies using a platform (those whose technology facilitates online transactions for various subsets of users), customers can request it to demonstrate to their clientele that they handle data securely.