Payment Card Industry Data Security Standards (PCI DSS)

In a Nutshell: What is the Payment Card Industry Data Security Standards (PCI DSS)?

The Payment Card Industry Data Security Standards, or PCI DSS for short, was created and enacted by the Payment Card Industry Security Standards Council (PCI SSC), a global body comprised of payment card brands and organizations affiliated with the payment card industry.

The goal of the PCI DSS is to enhance the security standards for cardholder data in order to reduce credit card fraud.

The PCI DSS details the security standards that businesses that handle branded credit cards from major payment card brands must meet in order to accept credit cards as payment for transactions. There are 12 requirements [a href to #12requirements] that businesses need to meet in order to comply with the PCI DSS.

The Payment Card Industry Data Security Standards is often referred to as the PCI Standard.

Why do the Payment Card Industry Data Security Standards exist?

To understand why the Payment Card Industry Data Security Standards (PCI DSS) exist, the conjugation of the history of credit cards, their popularity, and their security challenges needs to be understood.

The First Credit Card

The first credit card – Diners Club – more closely resembled modern-day store cards, such as the Target REDCard, rather than the general-purpose credit card that are ubiquitous in today’s society, because they could only be used at select locations. Diners Club, introduced in 1950, initially could only be used as payment at 27 restaurants.

In other words, this first credit card was unlike the modern general-purpose credit card in that it could only be used at a handful of predetermined restaurants – no other restaurants, or businesses for that matter, accepted the Diners Club as payment.

To be comprehensive, there actually existed a primitive form of the credit card, known as ‘courtesy cards’, in the 1920s. Courtesy cards were issued by department stores and oil companies and could only be used at the individual department store or oil company that issued them, unlike the Diners Club that could at least be used in a variety of different restaurants.

In addition, in 1946, another primitive form of the credit card was introduced: the bank card. John Biggins, a banker, allowed his customers to use a bank card for purchases at local establishments, with the charges on the card forwarded as a bill to be paid by the bank. This card was unable to gain traction with the public since it could only be used locally and only be used by accountholders at that bank.

By 1953, due to its ability to be used outside of a local area, Diners Club had attracted tens of thousands of card members and expanded to be accepted internationally, with restaurants in the UK, Canada, Cuba, and Mexico honoring Diners Club as payment.

The rising popularity of Diners Club spurred competition: by 1958, American Express, Bank of America, and Carte Blanche (a credit card issued by Hilton Hotels) had joined the burgeoning payment card industry. Of these emerging competitors, Bank of America seemingly had the most edge on the competition.

Bank of America, although initially limited to just businesses based in California, had worked out an arrangement to have their credit card accepted by several different types of businesses, not just restaurants. This credit card, known as the BankAmericard, exploded in popularity within a few months of its release: introduced in March of 1959 and by October the same year, over 2 million credit cards had been issued, with over 20,000 businesses agreeing to accept the credit card.

However, the rollout of the BankAmericard was not without complications – improper financial controls over the credit card led to an estimated $20 million in loss due to credit card fraud.

The First Modern Credit Card

In 1966, Bank of America regrouped from this initial credit card fraud complication and introduced a modern general-purpose credit card that could be used outside of California by creating alliances with banks in other states; at the time, federal law prevented banks from expanding to other states.

The same year, a group of California banks banded together to form the Interbank Card Association (ICA), which issued its own general-purpose credit card, called the ‘Master Charge’, in direct competition with the BankAmericard.

The ICA was comprised of United California Bank, Crocker National Bank, Wells Fargo, and Bank of California. The first two banks – United California Bank and Crocker National Bank – eventually merged into Wells Fargo and the last bank – Bank of California – eventually merged into Union Bank of California.

By this point, Diners Club had entered into relationships with various travel and entertainment businesses so that its payment card could be accepted at a larger variety of businesses, not just restaurants, but by then it was already too late – BankAmericard and Master Charge had already cornered the general-purpose credit card market.

In 1970, a committee that was used to analyze the BankAmericard program determined that it had the potential to dominate much more of the payment card industry – as long as it separated itself from Bank of America, to instead, be managed by a jointly controlled consortium of banks, much like ICA.

In order to compete at the international level, both BankAmericard and Master Charge re-branded: a single network with a single internationally-known name would be in the best interest of each.

In 1976, BankAmericard rebranded as “Visa”, and in 1979, Master Charge rebranded as “MasterCard”.

The Rise of Credit Card Fraud

As credit cards became more popular across the world, so did credit card fraud.

Put simply, credit card fraud describes the unauthorized use of stolen credit card account information to conduct a fraudulent transaction.

As evident from Bank of America’s initial rollout of its first credit card, criminals have been attempting to take advantage of any credit card data security gaps in order to profit from fraudulent transactions conducted using stolen card data ever since the creation of the first credit card.

Credit card customers want credit cards that are quick, easy-to-use, and widely-accepted, and unfortunately, it is the convenience of credit cards that exposes them to fraud. To succeed in the payment card industry, the credit card offered must be both convenient and secure.

Fighting Credit Card Fraud with Security Protection Programs

In order to combat credit card fraud, Visa and MasterCard created security protection programs for their credit cards: Visa introduced their Visa Cardholder Information Security Program and MasterCard introduced their MasterCard’s Site Data Protection.

By this point, several other payment card issuers had emerged, introducing several options for internationally-accepted credit cards: American Express, Discover, and JCB (Japan Credit Bureau). Each of these issuers also had security programs for their credit cards.

All of these individual security programs had a similar goal: to protect card issuers and cardholders by ensuring that businesses who accept credit cards during transactions as payment had the minimum level of security and fraud prevention protocols and technologies in place when storing, processing, and transmitting data from credit cards.

The Continual Rise of Credit Card Fraud

Even though each individual payment card issuer had a security program in place, the amount of credit card fraud nonetheless kept growing, especially with the advent of the Internet, and subsequently, e-commerce. The Internet had opened up a brand new venue in which to make purchases and conduct transactions, or, in other words, the Internet became the gift that kept on giving to fraudsters.

Gaining traction in the 1990s, the rise of e-commerce helped fuel the rise of credit card fraud – and soon, payment card issuers began to notice that their security programs were becoming increasingly ineffective. For example, in 1999, the U.K. experienced a £188 million loss from card fraud, and just 5 years later in 2004, the U.K. experienced a whopping £505 million loss from card fraud.

Payment card issuers realized something more had to be done to cure the epidemic of credit card fraud.

The Establishment of the Payment Card Industry Security Standards Council

And so, on September 7, 2006, Visa, MasterCard, American Express, Discover, and JCB decided to join forces, becoming the Payment Card Industry Security Standards Council (PCI SSC) in order to create a uniform, reliable set of security standards, which came to be known as the Payment Card Industry Data Security Standard (PCI DSS), to more effectively combat credit card fraud. After all, two – or in this case, five – heads are better than one.

The council decided upon 12 distinct security requirements that businesses who want to accept credit cards must meet before being allowed to conduct transactions and/or continue conducting transactions using the credit cards that are represented by the council. The 12 security requirements are discussed in the section below.

Although the council was able to standardize the requirements such that they were more securely sound than the individual security programs, credit card fraud still persisted, mainly due to the rise of other types of fraud, notably identity fraud.

In fact, in 2016, the Nilson Report estimated that credit card fraud losses reached $24.71 billion – a 12% increase from 2015.

Although the PCI DSS isn’t 100% effective at stopping credit card fraud, it is obvious that without it, credit card fraud would be catastrophically worse.

The Details: Payment Card Industry Data Security Standards Requirements & Compliance

There are 2 steps to take to comply with Payment Card Industry Data Security Standards:

1. Fulfilling the 12 security requirements
2. Conducting a periodic validation that the 12 security requirements are being met; exceptions to this validation requirement are covered below

PCI DSS 12 Security Requirements

Although the 12 requirements have been organized differently several times – into different control objective groups – since the inception of the PCI DSS, the requirements have not changed.

The 12 security requirements of the PCI DSS are currently organized in the following manner:

Control Objective: BUILD & MAINTAIN A SECURE NETWORK
Requirement #1: Install and maintain a firewall configuration to protect cardholder data
Requirement #2: Do not use vendor-supplied defaults for system passwords and other security parameters

Control Objective: PROTECT CARDHOLDER DATA
Requirement #3: Protect stored cardholder data
Requirement #4: Encrypt transmission of cardholder data across open, public networks

Control Objective: MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM
Requirement #5: Use and regularly update anti-virus software on all systems commonly affected by malware
Requirement #6: Develop and maintain secure systems and applications

Control Objective: IMPLEMENT STRONG ACCESS CONTROL MEASURES
Requirement #7: Restrict access to cardholder data by business need-to-know
Requirement #8: Assign a unique ID to each person with computer access
Requirement #9: Restrict physical access to cardholder data

Control Objective: REGULARLY MONITOR AND TEST NETWORKS
Requirement #10: Track and monitor all access to network resources and cardholder data
Requirement #11: Regularly test security systems and processes

Control Objective: MAINTAIN AN INFORMATION SECURITY POLICY
Requirement #12: Maintain a policy that addresses information security

Each requirement is discussed in detail below.

Requirement #1: Install and maintain a firewall configuration to protect cardholder data

• Create a firewall configuration policy
• Develop a configuration test that will protect cardholder data
• Make sure hosting provider has firewalls and a secure, private network
  • Obtain documentation from hosting provider that ensures PCI DSS compliance requirements are met

Requirement #2: Do not use vendor-supplied defaults for system passwords and other security parameters

• Create, maintain, and update system passwords that are unique and secure

Requirement #3: Protect stored cardholder data

• This requirement only applies to businesses that store cardholder data
• Not storing cardholder data greatly reduces the possibility of a data security breach

Requirement #4: Encrypt transmission of cardholder data across open, public networks

• Encrypt data so that it is unreadable and unusable without the proper cryptographic keys
  • Cryptographic keys describe the algorithm used to transform plaintext into ciphertext

Requirement #5: Use and regularly update anti-virus software on all systems commonly affected by malware

• In order to protect against recently-developed malware, use and frequently update anti-virus software
• If cardholder data is stored on outsourced servers, make sure that the server provider maintains a safe environment and generates audit logs

Requirement #6: Develop and maintain secure systems and applications

• Set up an alert system that creates a warning when a newly-identified security vulnerability is discovered
• Make sure that the hosting provider used monitors and updates their security systems to detect and prevent security vulnerabilities

Requirement #7: Restrict access to cardholder data by business need-to-know

• Limit the number of personnel that have access to cardholder data as much as possible

Requirement #8: Assign a unique ID to each person with computer access

• Personnel who have computer access needs to have their own account
• Personnel with computer access should follow security best practices:
  • Password encryption
  • Password updates every 30 days
  • Log-in time limits; automatic log-out after time-limit or non-use

Requirement #9: Restrict physical access to cardholder data

• If cardholder data is stored on an off-site data center, make sure personnel with cardholder data access is given on a need-to-know basis
• Make sure the data center also:
  • fully monitors their system
  • has surveillance cameras
  • has entry authentication

Requirement #10: Track and monitor all access to network resources and cardholder data

• Have a logging system that tracker user activity
• Maintain a stored archive of logging system data to help pinpoint the cause in the event of a security breach

Requirement #11: Regularly test security systems and processes

• To make sure that cardholder data is secure at all times, regularly monitor and test security systems and processes that are in place

Requirement #12: Maintain a policy that addresses information security

• Create and maintain a security policy that addresses:
  • all acceptable uses of technology
  • the reviews and annual processes needed for risk analysis
  • operational security procedures
  general administrative tasks

Conducting an Annual Validation

Compliance with the PCI DSS is not enforced by the council – the individual payment card brands and the banks authorized to issue those payment cards are responsible for ensuring that businesses are in compliance with the PCI DSS. Once a year, brands and banks are required to conduct a validation of compliance of businesses who conduct transactions using the brands’ and banks’ payment cards:

• for businesses handling large volumes of transactions, either of the following validations methods needs to be performed in order to complete a Report on Compliance (ROC):
  • via an external Qualified Security Assessor (QSA)
  • via a firm specific Internal Security Assessor (ISA)
• for businesses handling small volumes, a Self-Assessment Questionnaire (SAQ) needs to be completed

Under the PCI DSS, ‘businesses handling large volumes of transactions’ are defined as businesses having more than 6 million transactions per year. And ‘businesses handling small volumes of transactions’ are defined as businesses having up to 6 million transactions per year.

This annual validation requirement includes a provision that businesses that have externally facing (public) IP addresses must complete an external network vulnerability scan on a quarterly basis and provide the results to the bank that processes those transactions. This vulnerability scan must be conducted by an Approved Scanning Vendor (ASV); a list of ASVs can be found by clicking here.

Conducting an Annual Validation

There are certain criteria that businesses can meet to become exempt from the PCI DSS validation requirement. Although each payment card issuer has their own exemption criteria, each issuers’ criteria is comparable to the following:

• No card data, such as card number, are stored after the transaction is conducted
• Have a chip-enabled terminal that:
  • has EMV-approval or has a validated point-to-point (P2PE) solution¹
  • is able to pass Acquirer Device Validation Toolkit (ADVT), Contactless Evaluation Toolkit (CDET), or Visa payWave Test Tool (VpTT) testing requirements
• Have at least 75% of transactions conducted using the above-mentioned chip-enabled terminal

Do the Payment Card Industry Data Security Standards affect your business?

If your business processes, stores, or transmits cardholder data, then PCI DSS compliance is required at all times. In addition, validation of compliance is also required on a continuing basis.

In other words, if your business – no matter how small it is – accepts credit cards as payment, your business must comply with the PCI DSS at all times.

Notice: On January 31, 2017, Visa issued new rules on validation exemptions. These new rules can be read here.

In order to fully comply with the PCI DSS, you may find that you need to incur some costs.

For example, if a business has not complied with PCI DSS, a noncompliance fee may be charged to the business; the fee is supposed to serve as a reminder to become compliant.

Further, if your business needs help becoming compliant – especially with the technical details on setting up a firewall, secure networks, etc. – you may need to pay for IT services. Some processors, such as First Data, provide PCI compliance support programs for a fee.

It should be noted that PCI DSS is not mandated by any law – it is mandated by the PCI SSC and enforced by the individual payment card brands. There are no federal laws that require compliance with the PCI DSS – noncompliance will not result in legal ramifications. In other words, the government will not prosecute, neither with fines nor jail time, noncompliance with the PCI DSS.

There are currently two states that have incorporated the PCI DSS into their state legislation:
• Nevada – in 2009, Nevada passed legislation that requires businesses to comply with the PCI DSS and shields them from liability in the event of a data breach
• Washington - in 2010 Washington passed legislation that does not require businesses to comply with the PCI DSS, but shields businesses who chose to comply with the PCI DSS from liability in the event of a data breach

However, what this does mean is that payment card brands have the authority to impose their own consequences for noncompliance; rest assured, no entity other than the government has the authority to assign jail time.

PCI DSS Noncompliance Consequences

• As mentioned above, payment card brands can impose a fee onto business who do not comply with the PCI DSS
  • If failure to comply with the PCI DSS results in a security compromise, financial penalties can range from $5,000 to $500,000
  • For acquiring banks allow transactions by businesses who are in noncompliance, these fees can range anywhere from $5,000 to $100,000 per month; acquiring banks will most likely pass these fees onto noncompliant businesses in the form of increased transaction fees, and in the worst case scenario, terminate the relationship with the noncompliant business
• Noncompliance runs the risk of losing the ability to accept credit cards as payment; payment card brands can terminate the merchant account you have with them
  • Noncompliance can result in being placed on a blacklist that will prevent you from obtaining a merchant account for at least several years
• Although a data breach can occur even with PCI DSS compliance, being noncompliant with the PCI DSS greatly increases the changes of compromise via data breach. In the event a data breach occurs, the financial consequences are enormous:
  • Merchant processor compromise fine: $5,000-$500,000
  • Forensic investigation: $12,000-$100,000• Onsite Q&A assessments post-breach: $20,000-$100,000• Free credit monitoring: $10-$30 per affected card• Card re-issuance penalties: $3-$10 per affected card• Lawyer fees: $5,000+• Breach notification: $1,000• Technology repairs and upgrades: $2,000+• An increase in monthly card processing fees: varies• Federal/municipal fines: varies

Payment Card Industry Data Security Standards Resources

Although most of the details surrounding the Payment Card Industry Data Security Standards have been covered above, there are some nuances that have not been covered. To learn more about the Payment Card Industry Data Security Standards in detail, please use the following resources:

• The Official Payment Card Industry Security Standards Council (PCI SSC) Website
• PCI DSS Compliance Information for Visa
• PCI DSS Compliance Information for MasterCard
• PCI DSS Compliance Information for Discover
• PCI DSS Compliance Information for American Express
• PCI DSS Compliance Information for JCB
• Common PCI Compliance Myths

¹A list of validated point-to-point (P2PE) solutions can be found here