CHAPTER 1: WHAT IS THE PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)?
The Payment Card Industry Data Security Standard (PCI DSS) was developed by the five founding payment brands of the PCI Security Standards Council (PCI SSC, at www.pcisecuritystandards.org): American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa.
PCI DSS consists of a standardised, industry-wide set of requirements and processes for security management, policies, procedures, network architecture, software design and critical protective measures.
The PCI DSS must be met by all organisations (merchants and service providers) that transmit, process or store payment card data, or directly or indirectly affect the security of cardholder data. If an organisation uses a third party to manage cardholder data, the organisation has a responsibility to ensure that this third party is compliant with the PCI DSS.
The PCI DSS (sometimes referred to as a compliance standard) is not a law. It is a contractual obligation applied and enforced – by means of fines or other restrictions – directly by the payment providers themselves.
The currently applicable version of PCI DSS, since 7 November 2013, is version 3.0; subject to licence, it can be freely downloaded1. It is published and controlled by the independent PCI Security Standards Council (SSC) on behalf of its five founding members. The SSC also defines qualifications for Qualified Security Assessors (QSAs), Internal Security Assessors (ISA), PCI Forensic Investigators (PFI), PCI Professionals (PCIP), Qualified Integrators and Resellers (QIR), and Approved Scanning Vendors (ASVs). It trains, tests, certifies and runs quality assurance programmes for these certifications.
The PCI DSS is a set of 12 requirements that are imposed on merchants and other related parties. These 12 requirements are described later in this pocket guide.
Key definitions2 and acronyms in the PCI DSS:
Acquirer – Bank, which acquires merchants – i.e. the bank with which you have your e-commerce bank account.
Payment brand – Visa, MasterCard, Amex, Discover, JCB.
Merchant – Sells products to cardholders.
Service provider – A business entity, directly or indirectly involved in the processing, storage, transmission and switching of cardholder data. This includes companies that provide services to merchants, service providers or members that control or could impact the security of cardholder data.
PAN – Primary Account Number (the 16 digit payment card number).
Service providers include:
TPPs – Third Party Processors – who process payment card transactions (including payment gateways).
DSEs – Data Storage Entities – who store or transmit payment card data.
QSA – Qualified Security Assessor – someone who is trained and certified to carry out PCI DSS compliance assessments.
ISA – Internal Security Assessor – someone who is trained and certified to conduct internal security assessments.
ASV – Approved Scanning Vendor – an organisation that is approved as competent to carry out the security scans required by PCI DSS.
PFI – PCI Forensic Investigator – an individual trained and certified to investigate and contain information security breaches involving cardholder data.
1 www.pcisecuritystandards.org/security_standards/documents.php.
2 There is a formal English glossary available at www.pcisecuritystandards.org/documents/pci_glossary_v20.pdf.