In the world of financial transactions, the acronym PCI is the most common term used and refers to the Payment Card Industry. (The longer version is PCI DSS, or Payment Card Industry Data Security Standard.) The Payment Card Industry Security Standards Council (PCI SSC) was created in 2006. Its goal as a global entity is to help improve the security for every aspect of the financial transaction process. In the past the object for security concerns were mainframe computers that could fill a room. Technology has evolved from those huge mainframes to personal computers, to mobile devices such as smartphones and tablets. The ways hackers threaten an entity’s data have changed as well; but of course, the need for protecting that data has remained unchanged. Keep reading to learn more about the PCI security council and avoiding a credit card data breach.
The PCI Security Council
The PCI Security Standards Council was created to maintain, improve, and distribute information regarding the universally accepted compliance standards. It was formed by American Express, JCB International, Visa, Inc., Mastercard, and Discover Financial Services. Each of the five entities have equal responsibility and input in the organization. Other entities in the financials industry are welcome to join the PCI Security Council and can suggest additions or changes to the compliance standards. These organizations may include software and hardware developers, POS (Point of Sale) makers, banks, and retailers.
It is important to note that enforcing compliance to the data security standard is not the responsibility of the council; rather it is the responsibility of the founding members. This also applies to determining what fines are to be assessed for noncompliance. These fines can run from $5,000 to $500,000. Fines may also be assessed if an entity which is PCI compliant has a data breach.
The daily operations of the PCI Council are the responsibility of an Executive Staff which consists of five members. The Board of Advisors is made up of individuals of the entities that participate whether it be retailers, or financial institutions, or others. This structure allows equal participation across different industries in order to maintain and improve the compliance standards.
The PCI Council maintains a Document Library of new and updated resources including the Self-Assessment Questionnaire and documents describing each SAQ Type in detail. It also maintains a Newsroom web page with latest blogs, announcements, events and people and entities in the news.
Entities involved with payment cards are eligible to become members. As mentioned before, these organizations may include software and hardware developers, POS (Point of Sale) makers, banks, and retailers. One advantage of membership is the ability to view added or updated standards and any related materials before they are published. They also may comment on the changes before they are published. These members also receive weekly communications from the Council, as well as webinars conducted on a quarterly basis.
Global Executive Assessor Roundtable
The roundtable was created so that senior leaders of those security assessors could provide input and possible recommendations to the Council. It provides a direct channel for the assessors to address issues directly related to them. Any assessor entity that has been active for seven years can be nominated and serve on the Roundtable. In addition, it must be doing business in a minimum of three assessor regions and be in good standing, which means to be in compliance.
Regional Engagement Boards
These entities advise the PCI SSC in regard to issues concerning data security. The boards represent industry members and the participating organizations.
Special Interest Groups (SIGs)
These groups are community-based and are concerned with issues as they relate to payment security. There is an open period between July 19th and August 16th of each year when new SIGs may be recommended. Any member entity that is a Participating Organizations (PO), Approved Scanning Vendor (ASV), Qualified Security Assessor (QSA), or PCI Council member may propose a new SIG. Some of the topics that have been considered by SIGs have been E-Commerce Security, and Security Assurance by Third Parties.
Strategic Class Membership
This membership is open to entities that have shown a commitment to complying with the PCI Security Standards. Members can nominate PCI officers and can also serve on the Councils Executive Board.
Strategic Regional Membership
Associations that are involved with payment processes at a regional level may be considered for membership. Since there is only one strategic member per region, the largest association for each region is considered more highly.
Affiliate Class Members
Membership is open to those entities that determine standards and encourage their counterparts to adopt them. Members are active in the development of new standards.
Achieving PCI Compliance
What entities are bound by PCI Compliance? Any business, no matter its size, that processes, transmits, or stores payment card information must be in compliance.
There are two ways to become PCI compliant. 1) Completion of a Self-Assessment Questionnaire (SAQ), or 2) completion of annual audits by a team of individuals who assess an entity’s compliance status.
Requirements and Objectives
The PCI DSS has 12 requirements in order to be in compliance. It also has six objectives as well.
The requirements are:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
The objectives are:
- A secure network to protect the data that is being processed. One way to secure the data is through the use of firewalls.
- Wherever data is stored, it needs to be protected.
- It is imperative that anti-virus, anti-spyware, and anti-malware be kept updated in order to thwart hackers.
- System information and operation access should be tightly controlled.
- On a regular basis, networks should be checked and tested to be sure they are functioning correctly and that all security processes are enabled.
- A security policy should be created and implemented to prevent being fined for noncompliance.
The PCI Security Council provides training for assessors and helps them to connect with entities that need their expertise. The training courses include:
- Awareness – Entry-level course outlines payment card security issues and how PCI Standards can help protect cardholder data.
- PCIP (PCI Professional)Earn an individual credential for knowledge and understanding of PCI Standards.
- ISA (Internal Security Assessor)Receive instruction on how to perform internal assessments for PCI compliance.
- Acquirer – Understand the PCI-DSS requirements to work with merchant clients and facilitate their journey toward PCI-DSS compliance.
- QIR (Qualified Integrator & Reseller)Learn to install, configure, and maintain your payment application in a manner that facilitates PCI-DSS compliance.
- ASV (Approved Scanning Vendor)Use security services and tools to validate adherence to the external scanning requirement of the PCI DSS.
- QSA (Qualified Security Assessor). Learn to perform PCI DSS assessments of merchants and service providers.
- PA-QSA (Payment Application Qualified Security Assessor)Provides tools to perform PA-DSS assessments and associated testing.
- P2PE (Point-to-Point Encryption)Get a solid foundation to assess point-to-point encryption compliance with all six domains included in the P2PE standard.
The Self-Assessment Questionnaire has instructions and guidelines as to how it should be completed. It provides example of noncompliance and which requirements are impacted. It also has tips and strategies to help entities be compliant.
The SAQ lists each type of SAQ and its description so that an entity can determine which type applies to its own specific process. Each type lists its eligibility requirements which are to be answered affirmatively or negatively.
This type addresses requirements for entities that outsource all of their card functions to a third-party vendor. In this type, the entity is only required to keep reports or receipts that contain card holder information. Examples of these entities include those that conduct e-commerce or orders by mail or phone. The entities do not retain, process or send card holder information on their systems.
This type addresses requirements for entities that partially outsource their card functions to a third-party vendor. The vendor is required to be PCI DSS compliant. Examples of these entities include those that outsource all of their card functions to a third-party vendor. The entities do not retain, process or send card holder information on their systems.
This type addresses requirements for entities that process card holder information only through an imprint machine or kiosk-type terminals that only dial out. Examples of these entities include those that are brick and mortar stores that conduct e-commerce or orders by mail or phone. The entities do not retain card holder information on their systems.
This type addresses requirements for entities that process card holder information only using standalone Point of Interaction (POI) units. The units have an IP connection built in. Examples of these entities include those that are brick and mortar stores that conduct e-commerce or orders by mail or phone. The entities do not retain card holder information on their systems.
This type addresses requirements for entities that process card holder information by virtual terminals on a personal computer which is connected to the internet. Examples of these entities include those that are brick and mortar stores that conduct e-commerce or orders by mail or phone.
This type addresses requirements for entities whose payment system is connected to the internet. Examples of these entities include those that process card holder information using a POS device or payment system connected to the internet. They may be brick and mortar stores that conduct e-commerce or orders by mail or phone.
This type addresses requirements for entities that process card holder information using payment terminals with a PCI SSC-listed Point-to-Point Encryption (P2PE) feature. They may be brick and mortar stores that conduct e-commerce or orders by mail or phone.
This type addresses requirements for entities that are eligible for SAQ but do not meet the criteria for any of the other SAG types. Examples of these entities include those that accept card holder information on their websites; those that store card holder information electronically, those who do not store card holder information but do not meet the criteria of any other SAG type or those who do meet the criteria of another SAQ type but have PCI DSS requirements additionally.
The Compliance Levels
PCI compliance consists of four different levels based on the volume of transactions in a 12-month time frame.
Level 1: Any entity which processes over six million Visa transactions annually.
Level 2: Any entity which processes between one million and six million Visa transactions annually.
Level 3: Any entity which processes between 20,000 and one million Visa e-commerce transactions annually.
Level 4: Any entity which processes fewer than 20,000 Visa e-commerce transactions annually or up to one million Visa transactions annually.
The PCI Security Compliance Council is first and foremost an organization that is concerned with security issues surrounding transaction data. It has a multi-prong approach in that it raises awareness about cyber security issues and protection, constantly updates and creates new security standards, encourages participation from industry entities, and provides training to further the cause of keeping a watchful eye on the data.