Payment

Card Industry Data Security Standards

Purple 7

Andrew, Billy, Pallavi, Shivangi, Slim, Vanessa

History of

PCI DSS

The 12

Requirements

Applicable Industries

Advantages & Disadvantages

Similar Framework: PA- DSS

Compliance to the Framework

TABLE OF CONTENTS

01

02

03

04

05

06

PCI DSS

History

01

About PCI DSS

What?

Payment

Card

Industry

Data

Security

Standard

Who?

Developed to enhance cardholder data security by adopting data security measures

Applies to all merchants and service providers that process, transmit, or store cardholder data

Why?

2004

1988-1999

1999

Late 1980’s

History of PCI DSS

Visa introduces Card Information Security Program

Emergence of E-Commerce Sector

Payment Card Industry Data Security Standards formed

$750M Worth of Online Fraud Losses

Formation of PCI DSS

PCI DSS

The 12 Requirements

02

12 Requirements of PCI DSS

Build and Maintain a Secure Network and Systems

Protect Cardholder Data

Maintain a Vulnerability Management Program

1

6 Control Objectives

Installing and maintaining a firewall configuration

​

Changing vendor-supplied defaults for system passwords and other security parameters

1

2

2

Protect stored cardholder data

​

Encrypt transmission of cardholder data across open, public networks

3

4

3

Use and regularly update anti-virus software

​

Develop and maintain secure systems and applications

5

6

12 Requirements of PCI DSS

Implement Strong Access Control Measures

Regularly Monitor and Test Networks

Maintain an Information Security Policy

4

6 Control Objectives

Restrict access to cardholder data by business need-to know

​

Assign a unique ID to each person with computer access

​

Restrict physical access to cardholder data

7

8

5

Track and monitor all access to network resources and cardholder data

​

Regularly test security systems and processes

10

11

6

Maintain a policy that addresses information security

12

9

Financial Institutions

Online Creditors

Credit Card Companies

Industries Suited for PCI DSS

Four Industry Stages of PCI DSS

02

03

01

04

Level 1

Merchants processing over 6,000,000 transactions annually

Level 2

1,000,000 to 6,000,000 transactions annually

Level 3

20,000 to 1,000,000 transactions annually

Level 4

Fewer than 20,000 transactions annually

Advantages of PCI Certified

• Prevent data breaches
• Periodic checks help reduce the chance of breaches.

​

• Build customer trust
• Improved security improved better relationship with customers and stakeholders.

​

• Helps you meet global standards
• Your security practices are inline with global standards.

​

• Set a high security bar
• Organisations have a benchmark to compare themselves

Disadvantages of PCI Certified

• Constant update needs constant attention.
• Old information is useless information.

​

​

• Often seen as "Check-the-box" routine.
• Security should be top of mind, not a necessary evil.

​

​

• Intra Enterprise process coordination is necessary
• For easier compliance unit, get to know your business unit better.

​

Applies to software vendors and others, who product and sell payment applications

Applies to all companies that store, process, or transmit sensitive authentication data.

Credit Card Information

Payment portals

• Log payment activity.
• Test and updates the applications.

PA-DSS

Compliance to the Framework

06

Authority Behind the Framework

Official Law

Enforcing Government Authorities

Supervised by PCI DSS Committee

❌

❌

• Penalty Up to $ 500,000

​

• Denial of Payment Card Processing Access

✅

Level 4

​

​

Level 3

Level 2

Level 1

Mild

Strict

< 20,000 transactions/year

Ex: Mom & Pop Stores

> 6 million transactions/year

Ex: Target, Walmart,

7-Eleven

Moderately Strict

Moderate

Compliance to the Standards Across Levels

The higher the level, the more rigorous the standard

References

https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security

​

https://reciprocity.com/resources/what-is-the-difference-between-pa-dss-and-pci-dss/

​

https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard