Payment Card Industry (PCI) Data Security Standard (DSS)
The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council.
PCI DSS applies to merchants and other entities that store, process, and/or transmit cardholder data. While the Council is responsible for managing the data security standards, each payment card brand maintains its own separate compliance enforcement programs. Each payment card brand has defined specific requirements for compliance validation and reporting, such as provisions for performing …
The goal of the PCI Data Security Standard (PCI DSS) is to protect cardholder data and sensitive authentication data wherever it is processed, stored or transmitted. The security controls and processes required by PCI DSS are vital for protecting all payment card account data, including the PAN – the primary account number printed on the …
Security Controls and Processes for PCI DSS Requirements Read More »
The twentieth century U.S. criminal Willie Sutton was said to rob banks because “that’s where the money is.” The same motivation in our digital age makes merchants the new target for financial fraud. Occasionally lax security by some merchants enables criminals to easily steal and use personal consumerfinancial information from payment card transactions and processing …
Protecting Cardholder Data with PCI Security Standards Read More »
The PCI DSS assessment process includes the following high-level steps: 5
Instructions and content for the Report on Compliance (ROC) are provided in the PCI DSS Report on Compliance (ROC) Template. The PCI DSS Report on Compliance (ROC) Template must be used as the template for creating a PCI DSS Report on Compliance. Whether any entity is required to comply with or validate their compliance to …
Instructions and Content for Report on Compliance Read More »
The Testing Methods for PCI DSS Requirements identified in the Testing Procedures for each requirement describe the assessor’s expected activities to determine whether the entity has met the requirement. The intent behind each testing method is described as follows: Examine: The assessor critically evaluates data evidence. Common examples include documents (electronic or physical), screenshots, configuration …
Protecting Information About an Entity’s Security Posture, The processes related to becoming and maintaining a PCI DSS compliant environment results in many artifacts that an entity may consider sensitive and may want to protect as such, including such items as the following: The Report on Compliance or Self-Assessment Questionnaire (the associated Attestation of Compliance is …
Protecting Information About an Entity’s Security Posture Read More »
To support flexibility in how security objectives are met, there are two approaches for implementing and validating to PCI DSS. Entities should identify the approach best suited to their security implementation and use that approach to validate the controls. Defined Approach Follows the traditional method for implementing and validating PCI DSS and uses the Requirements …
Approaches for Implementing and Validating PCI DSS Read More »
Certain PCI DSS requirements have been established with specific timeframes for activities that need to be performed consistently via a regularly scheduled and repeatable process. The intent is that the activity is performed at an interval as close to that timeframe as possible without exceeding it. The entity has the discretion to perform an activity …
Description of Timeframes Used in PCI DSS Requirements Read More »
Sampling is an option for assessors conducting PCI DSS assessments to facilitate the assessment process when there are large numbers of items in a population being tested.While it is acceptable for an assessor to sample from similar items in a population being tested as part of its review of an entity’s PCI DSS compliance, it …
