Electronic money has recently come more and more into general use and started gradually replacing banknotes. It is already difficult to imagine a modern human being without several plastic payment cards in his wallet.
It’s very convenient to use payment cards but, unfortunately, it is not always safe. And the more people use such a convenient mean of payment, the more acute the issue of money security will be. Nobody wants to lose his money.
That’s why, such companies as VISA and MasterCard require from the trading enterprises and various service providers, who accept payments from the customers through these payment systems, to comply with the PCI DSS standard in order to have the security assurance that their clients’ funds are safe. It applies not only to the large-scale corporations. The small companies should also comply with this standard.
So what is this PCI DSS standard all about?
Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard was developed by the Payment Card Industry Security Standards Council (PCI SSC) which was established by such international payment systems as Visa, MasterCard, American Express, JCB and Discover.
The PCI DSS standard is a set of security requirements for the cardholder data that are stored, transmitted and processed in the information infrastructures of organizations. It contains only 12 clear and detailed requirements.
Let’s enumerate all of them.
- Data-processing network security;
- Configuration of information structure components;
- Stored cardholder data protection;
- Transmitted cardholder data protection;
- Anti-virus information infrastructure protection;
- Information system development and support;
- Cardholder data access control;
- Authentication mechanisms;
- Physical protection of information infrastructure;
- Information security management;
- Event and action logging;
- Information infrastructure security;
There is a misconception that the PCI DSS standard certification is a formality, that this certificate can be purchased as a simple information sheet. But it’s not true. In order for an enterprise to comply with the standard, an integrated approach should be implemented to ensure the information security of these payment cards.
The primary objectives of the PCI DSS standard are to ensure the network infrastructure security and protect the cardholder data, as these are the most soft spots that directly threaten with the confidentiality and money loss.
The PCI DSS standard regulates the payment system operating rules as well as their development and monitoring procedures.
The PCI DSS standard focuses on the following aspects:
– Cardholder data security.
– Secure network construction and further maintenance.
– Implementation of the rigorous access-control measures.
– Vulnerability Management.
– Regular network monitoring and testing.
– Development of the information security policy.
What enterprises do the requirements of this standard apply to?
The PCI DSS standard requirements apply to the trading companies, banks, service providers of all kinds, retail stores, call centers, payment gateways and other enterprises and organizations that deal with the processing, transmitting and storing of cardholder data.
It is worth noting that the PCI DSS standard requirements are mandatory for all Ukrainian banks.
How to determine if your company needs to comply with the PCI DSS standard requirements?
If your organization stores, processes or transfers the payment card data, and the business processes can affect the security of these cards, you can safely say that you need to comply with the PCI DSS standard.
Most company administrators, directors and top managers are misled that the PCI DSS standard is only needed for the banks or huge trading networks.
It is very important to be aware of the following: if your organization stores, processes or transmits the information about at least one card transaction or cardholder during the year, then you, as a company, must comply with the PCI DSS standard requirements.
It is also very important to remember that the international payment systems provide for the penalty imposition on all organizations that are required to undergo an annual certification for compliance with the PCI DSS standard but for some reason don’t do that.
What will the company receive as a result of the audit for compliance with the PCI DSS standard?
The benefits are as follows:
– Compliance with the international payment system requirements.
– Reducing the risks from the possible disclosure of confidential information.
– Formation of public opinion about the company’s fair name and stable position.
From all of the above, we can make a conclusion that the company’s compliance with the PCI DSS standard is extremely important in the modern business world.
Read more in the blog