The Payment Card Industry Data Security Standard, commonly abbreviated to PCI or PCI-DSS, is a set of rules in payment transactions that relates to the processing of credit card transactions and is supported by all major credit card organizations. The current version of PCI-DSS is: V4.0 from March 2022.
Merchants and service providers who store, transmit, or process credit card transactions must comply with the regulations. If they do not comply, penalties may be imposed, restrictions may be imposed, or they may ultimately be prohibited from accepting credit cards. The regulations consist of a list of twelve requirements for companies’ computer networks:
- Installation and maintenance of a firewall to protect data
- Change passwords and other security settings after factory delivery
- Protection of credit card holders’ stored data
- Encrypted Transmission of sensitive data of credit card holders in public computer networks
- Use and regular updating of anti-virus programs
- Development and maintenance of secure systems and applications
- Restrict data access to what is necessary
- Assigning a unique user ID to each person with computer access
- Restricting physical access to credit card holder data
- Logging and auditing all access to credit card holder data
- Regular audits of all security systems and processes
- Implement and comply with information security policies
- PCI is based on the Visa Account Information Security Program (AIS and its sister program CISP), the Mastercard Site Data Protection Program (SDP), the American Express Security Operating Policy (DSOP), the Discover Information Security and Compliance (DISC), and the JCB Security Rules.
Compliance with the rules is usually checked depending on the company’s transaction volume:
- Merchants or service providers who process more than 6 million credit card transactions per year, have already succumbed to an attack, have been classified as “Level 1” by another card company, or where card data has been compromised, must have their computer network checked quarterly by means of an external security scan by a Mastercard-approved scan vendor (ASV) and must also undergo an on-site inspection once a year (Audit) by an independent VISA approved company (QSA) or a specially appointed security officer.
- Merchants who process between 20,000 and 6 million credit card transactions per year must also have their computer network checked quarterly by means of an external security scan by a Mastercard-approved Approved Scanning Vendor (ASV) and also complete a PCI (Self-Assessment Questionnaire, SAQ) once a year.
- E-commerce As of October 1, merchants who process less than 4 million credit card transactions per year (Level 1 and 2009) must engage a PCI DSS-certified service provider to process all credit card transactions or provide their acquirer with their own PCI DSS certification by completing the PCI Self-Assessment Questionnaire (SAQ) and, if necessary, performing a quarterly security scan using an approved scanning approved by the PCI Security Standards Council vendor (ASV).