CHAPTER 1: WHAT IS THE PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)?
The Payment Card Industry Data Security Standard (PCI DSS) was developed by the five founding payment brands of the PCI Security Standards Council (PCI SSC, at www.pcisecuritystandards.org): American Express, Discover Financial Services, JCB International, Mastercard and Visa.
The PCI DSS consists of a standardised, industry-wide set of requirements and processes for security management, policies, procedures, network architecture, software design and critical protective measures.
The requirements of the PCI DSS must be met by all organisations (merchants and service providers) that transmit, process or store payment card data, or directly or indirectly affect the security of cardholder data. If an organisation uses a third party to manage cardholder data, it has a responsibility to ensure that the third party is compliant with the PCI DSS.
The PCI DSS (sometimes referred to as a compliance standard) is not a law. It is a contractual obligation applied and enforced – by means of fines or other restrictions – directly by the payment providers themselves.
The currently applicable version of the PCI DSS, since May 2018, is version 3.2.1; subject to licence, it can be freely downloaded.3 It is published and controlled by the PCI SSC on behalf of its five founding members.
In June 2015, the PCI SSC introduced the concept of ‘designated entities’. These are high-risk entities that can be prescribed a set of supplemental validation requirements to demonstrate ongoing security efforts to protect payments.
The SSC also defines qualifications for Qualified Security Assessors (QSAs), Internal Security Assessors (ISAs), PCI Forensic Investigators (PFIs), PCI Professionals (PCIPs), Qualified Integrators and Resellers (QIRs) and Approved Scanning Vendors (ASVs). It trains, tests, certifies and runs quality assurance programmes for these certifications.
The PCI DSS is a set of 12 requirements that are imposed on merchants and other related parties. These requirements are described later in this pocket guide.
Key definitions4 and acronyms in the PCI DSS
Acquirer – a bank that acquires merchants – i.e. the bank with which you have your e-commerce bank account.
Payment brand – Visa, Mastercard, American Express, Discover, JCB.
Merchant – sells products to cardholders.
Service provider – a business entity that is directly or indirectly involved in the processing, storage, transmission and switching of cardholder data. This includes companies that provide services to merchants, service providers, or members that control or could impact the security of cardholder data.
Service providers include:
•Third-party processors (TPPs), which process payment card transactions (including payment gateways); and
•Data storage entities (DSEs), which store or transmit payment card data.
Primary account number (PAN) – the up-to-19-digit payment card number.
Qualified Security Assessor (QSA) – someone who is trained and certified to carry out PCI DSS compliance assessments.
Internal Security Assessor (ISA) – someone who is trained and certified to conduct internal security assessments.
Approved Scanning Vendor (ASV) – an organisation that is approved as competent to carry out the security scans required by the PCI DSS.
PCI Forensic Investigator (PFI) – an individual trained and certified to investigate and contain information security breaches involving cardholder data.
3 www.pcisecuritystandards.org/document_library.
4 There is a formal English glossary available at www.pcisecuritystandards.org/document_library.