The 12 Security Requirements of the PCI DSS
TABLE OF CONTENTS
I. In a Nutshell: What is the Payment Card Industry Data Security Standards (PCI DSS)?
II. Why do the Payment Card Industry Data Security Standards exist?
III. The Details: Payment Card Industry Data Security Standards Requirements & Compliance
IV. Do the Payment Card Industry Data Security Standards affect your business?
V. Payment Card Industry Data Security Standards Resources
The Payment Card Industry Data Security Standards, or PCI DSS for short, was created and enacted by the Payment Card Industry Security Standards Council (PCI SSC), a global body comprised of payment card brands and organizations affiliated with the payment card industry.
The goal of the PCI DSS is to enhance the security standards for cardholder data in order to reduce credit card fraud.
The PCI DSS details the security standards that businesses that handle branded credit cards from major payment card brands must meet in order to accept credit cards as payment for transactions. There are 12 requirements [a href to #12requirements] that businesses need to meet in order to comply with the PCI DSS.
The Payment Card Industry Data Security Standards is often referred to as the PCI Standard.
To understand why the Payment Card Industry Data Security Standards (PCI DSS) exist, the conjugation of the history of credit cards, their popularity, and their security challenges needs to be understood.
The first credit card – Diners Club – more closely resembled modern-day store cards, such as the Target REDCard, rather than the general-purpose credit card that are ubiquitous in today’s society, because they could only be used at select locations. Diners Club, introduced in 1950, initially could only be used as payment at 27 restaurants.
In other words, this first credit card was unlike the modern general-purpose credit card in that it could only be used at a handful of predetermined restaurants – no other restaurants, or businesses for that matter, accepted the Diners Club as payment.
To be comprehensive, there actually existed a primitive form of the credit card, known as ‘courtesy cards’, in the 1920s. Courtesy cards were issued by department stores and oil companies and could only be used at the individual department store or oil company that issued them, unlike the Diners Club that could at least be used in a variety of different restaurants.
In addition, in 1946, another primitive form of the credit card was introduced: the bank card. John Biggins, a banker, allowed his customers to use a bank card for purchases at local establishments, with the charges on the card forwarded as a bill to be paid by the bank. This card was unable to gain traction with the public since it could only be used locally and only be used by accountholders at that bank.
By 1953, due to its ability to be used outside of a local area, Diners Club had attracted tens of thousands of card members and expanded to be accepted internationally, with restaurants in the UK, Canada, Cuba, and Mexico honoring Diners Club as payment.
The rising popularity of Diners Club spurred competition: by 1958, American Express, Bank of America, and Carte Blanche (a credit card issued by Hilton Hotels) had joined the burgeoning payment card industry. Of these emerging competitors, Bank of America seemingly had the most edge on the competition.
Bank of America, although initially limited to just businesses based in California, had worked out an arrangement to have their credit card accepted by several different types of businesses, not just restaurants. This credit card, known as the BankAmericard, exploded in popularity within a few months of its release: introduced in March of 1959 and by October the same year, over 2 million credit cards had been issued, with over 20,000 businesses agreeing to accept the credit card.
However, the rollout of the BankAmericard was not without complications – improper financial controls over the credit card led to an estimated $20 million in loss due to credit card fraud.
In 1966, Bank of America regrouped from this initial credit card fraud complication and introduced a modern general-purpose credit card that could be used outside of California by creating alliances with banks in other states; at the time, federal law prevented banks from expanding to other states.
The same year, a group of California banks banded together to form the Interbank Card Association (ICA), which issued its own general-purpose credit card, called the ‘Master Charge’, in direct competition with the BankAmericard.
The ICA was comprised of United California Bank, Crocker National Bank, Wells Fargo, and Bank of California. The first two banks – United California Bank and Crocker National Bank – eventually merged into Wells Fargo and the last bank – Bank of California – eventually merged into Union Bank of California.
By this point, Diners Club had entered into relationships with various travel and entertainment businesses so that its payment card could be accepted at a larger variety of businesses, not just restaurants, but by then it was already too late – BankAmericard and Master Charge had already cornered the general-purpose credit card market.
In 1970, a committee that was used to analyze the BankAmericard program determined that it had the potential to dominate much more of the payment card industry – as long as it separated itself from Bank of America, to instead, be managed by a jointly controlled consortium of banks, much like ICA.
In order to compete at the international level, both BankAmericard and Master Charge re-branded: a single network with a single internationally-known name would be in the best interest of each.
In 1976, BankAmericard rebranded as “Visa”, and in 1979, Master Charge rebranded as “MasterCard”.
As credit cards became more popular across the world, so did credit card fraud.
Put simply, credit card fraud describes the unauthorized use of stolen credit card account information to conduct a fraudulent transaction.
As evident from Bank of America’s initial rollout of its first credit card, criminals have been attempting to take advantage of any credit card data security gaps in order to profit from fraudulent transactions conducted using stolen card data ever since the creation of the first credit card.
Credit card customers want credit cards that are quick, easy-to-use, and widely-accepted, and unfortunately, it is the convenience of credit cards that exposes them to fraud. To succeed in the payment card industry, the credit card offered must be both convenient and secure.
In order to combat credit card fraud, Visa and MasterCard created security protection programs for their credit cards: Visa introduced their Visa Cardholder Information Security Program and MasterCard introduced their MasterCard’s Site Data Protection.
By this point, several other payment card issuers had emerged, introducing several options for internationally-accepted credit cards: American Express, Discover, and JCB (Japan Credit Bureau). Each of these issuers also had security programs for their credit cards.
All of these individual security programs had a similar goal: to protect card issuers and cardholders by ensuring that businesses who accept credit cards during transactions as payment had the minimum level of security and fraud prevention protocols and technologies in place when storing, processing, and transmitting data from credit cards.
Even though each individual payment card issuer had a security program in place, the amount of credit card fraud nonetheless kept growing, especially with the advent of the Internet, and subsequently, e-commerce. The Internet had opened up a brand new venue in which to make purchases and conduct transactions, or, in other words, the Internet became the gift that kept on giving to fraudsters.
Gaining traction in the 1990s, the rise of e-commerce helped fuel the rise of credit card fraud – and soon, payment card issuers began to notice that their security programs were becoming increasingly ineffective. For example, in 1999, the U.K. experienced a £188 million loss from card fraud, and just 5 years later in 2004, the U.K. experienced a whopping £505 million loss from card fraud.
Payment card issuers realized something more had to be done to cure the epidemic of credit card fraud.
And so, on September 7, 2006, Visa, MasterCard, American Express, Discover, and JCB decided to join forces, becoming the Payment Card Industry Security Standards Council (PCI SSC) in order to create a uniform, reliable set of security standards, which came to be known as the Payment Card Industry Data Security Standard (PCI DSS), to more effectively combat credit card fraud. After all, two – or in this case, five – heads are better than one.
The council decided upon 12 distinct security requirements that businesses who want to accept credit cards must meet before being allowed to conduct transactions and/or continue conducting transactions using the credit cards that are represented by the council. The 12 security requirements are discussed in the section below.
Although the council was able to standardize the requirements such that they were more securely sound than the individual security programs, credit card fraud still persisted, mainly due to the rise of other types of fraud, notably identity fraud.
In fact, in 2016, the Nilson Report estimated that credit card fraud losses reached $24.71 billion – a 12% increase from 2015.
Although the PCI DSS isn’t 100% effective at stopping credit card fraud, it is obvious that without it, credit card fraud would be catastrophically worse.
There are 2 steps to take to comply with Payment Card Industry Data Security Standards:
Although the 12 requirements have been organized differently several times – into different control objective groups – since the inception of the PCI DSS, the requirements have not changed.
The 12 security requirements of the PCI DSS are currently organized in the following manner:
Control Objective: BUILD & MAINTAIN A SECURE NETWORK
Requirement #1: Install and maintain a firewall configuration to protect cardholder data
Requirement #2: Do not use vendor-supplied defaults for system passwords and other security parameters
Control Objective: PROTECT CARDHOLDER DATA
Requirement #3: Protect stored cardholder data
Requirement #4: Encrypt transmission of cardholder data across open, public networks
Control Objective: MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM
Requirement #5: Use and regularly update anti-virus software on all systems commonly affected by malware
Requirement #6: Develop and maintain secure systems and applications
Control Objective: IMPLEMENT STRONG ACCESS CONTROL MEASURES
Requirement #7: Restrict access to cardholder data by business need-to-know
Requirement #8: Assign a unique ID to each person with computer access
Requirement #9: Restrict physical access to cardholder data
Control Objective: REGULARLY MONITOR AND TEST NETWORKS
Requirement #10: Track and monitor all access to network resources and cardholder data
Requirement #11: Regularly test security systems and processes
Control Objective: MAINTAIN AN INFORMATION SECURITY POLICY
Requirement #12: Maintain a policy that addresses information security
Each requirement is discussed in detail below.
Requirement #1: Install and maintain a firewall configuration to protect cardholder data
Requirement #2: Do not use vendor-supplied defaults for system passwords and other security parameters
Requirement #3: Protect stored cardholder data
Requirement #4: Encrypt transmission of cardholder data across open, public networks
Requirement #5: Use and regularly update anti-virus software on all systems commonly affected by malware
Requirement #6: Develop and maintain secure systems and applications
Requirement #7: Restrict access to cardholder data by business need-to-know
Requirement #8: Assign a unique ID to each person with computer access
Requirement #9: Restrict physical access to cardholder data
Requirement #10: Track and monitor all access to network resources and cardholder data
Requirement #11: Regularly test security systems and processes
Requirement #12: Maintain a policy that addresses information security
Compliance with the PCI DSS is not enforced by the council – the individual payment card brands and the banks authorized to issue those payment cards are responsible for ensuring that businesses are in compliance with the PCI DSS. Once a year, brands and banks are required to conduct a validation of compliance of businesses who conduct transactions using the brands’ and banks’ payment cards:
Under the PCI DSS, ‘businesses handling large volumes of transactions’ are defined as businesses having more than 6 million transactions per year. And ‘businesses handling small volumes of transactions’ are defined as businesses having up to 6 million transactions per year.
This annual validation requirement includes a provision that businesses that have externally facing (public) IP addresses must complete an external network vulnerability scan on a quarterly basis and provide the results to the bank that processes those transactions. This vulnerability scan must be conducted by an Approved Scanning Vendor (ASV); a list of ASVs can be found by clicking here.
There are certain criteria that businesses can meet to become exempt from the PCI DSS validation requirement. Although each payment card issuer has their own exemption criteria, each issuers’ criteria is comparable to the following:
If your business processes, stores, or transmits cardholder data, then PCI DSS compliance is required at all times. In addition, validation of compliance is also required on a continuing basis.
In other words, if your business – no matter how small it is – accepts credit cards as payment, your business must comply with the PCI DSS at all times.
Notice: On January 31, 2017, Visa issued new rules on validation exemptions. These new rules can be read here.
In order to fully comply with the PCI DSS, you may find that you need to incur some costs.
For example, if a business has not complied with PCI DSS, a noncompliance fee may be charged to the business; the fee is supposed to serve as a reminder to become compliant.
Further, if your business needs help becoming compliant – especially with the technical details on setting up a firewall, secure networks, etc. – you may need to pay for IT services. Some processors, such as First Data, provide PCI compliance support programs for a fee.
It should be noted that PCI DSS is not mandated by any law – it is mandated by the PCI SSC and enforced by the individual payment card brands. There are no federal laws that require compliance with the PCI DSS – noncompliance will not result in legal ramifications. In other words, the government will not prosecute, neither with fines nor jail time, noncompliance with the PCI DSS.
There are currently two states that have incorporated the PCI DSS into their state legislation:
• Nevada – in 2009, Nevada passed legislation that requires businesses to comply with the PCI DSS and shields them from liability in the event of a data breach
• Washington - in 2010 Washington passed legislation that does not require businesses to comply with the PCI DSS, but shields businesses who chose to comply with the PCI DSS from liability in the event of a data breach
However, what this does mean is that payment card brands have the authority to impose their own consequences for noncompliance; rest assured, no entity other than the government has the authority to assign jail time.
Although most of the details surrounding the Payment Card Industry Data Security Standards have been covered above, there are some nuances that have not been covered. To learn more about the Payment Card Industry Data Security Standards in detail, please use the following resources:
1A list of validated point-to-point (P2PE) solutions can be found here
Our team of fraud prevention specialists is here to guide and provide support for all your fraud prevention needs!
CONTACT OUR FRAUD PREVENTION TEAM
1743 S. Grand Ave., Glendora, CA 91740
(800) 883-8822
FraudFighter by UVeritech. Copyright 2023.
All Rights Reserved