PCI data security standards: What they are and why they matter

PCI data security standards: What they are and why they matter

If you have a merchant account and accept credit card payments, you need to defend your customers' sensitive personal data against theft and fraud.

But where should your security measures begin? To ensure that merchants are doing all they can to safeguard card information, the major credit card brands (Visa, MasterCard, American Express, Discover and JCB) joined together and established a set of rules in 2006. These guidelines are known as the Payment Card Industry Data Security Standards -- or PCI DSS for short -- and cover everything from the physical security of documents to making digital files unreadable to would-be thieves. The rules remain just as relevant in 2011, as cybercriminals continually seek new ways to steal payment card data, either for their own use or sale on the black market. 

When taking steps to protect data, merchants can go above and beyond PCI DSS, but they must at least meet its basic requirements. "This is the minimum or baseline that you should be doing" to prevent data breaches, says Bob Russo, general manager or PCI Security Standards Council, a global forum founded by the five card brands.

All stores that accept plastic payments need to be aware of these standards, since PCI DSS apply to merchants of all types and sizes, located both in the United States and overseas. "If you store, transmit or process any credit card data, you must be compliant with these standards," Russo says.  

"Even someone who processes one credit card must be compliant," Russo says. In other words, the standards apply to everyone from the "Mom and Pops to the Wal-Mart's of the world."

There are six goals and 12 requirements of PCI DSS. They are as follows:

Build and maintain a secure network.

• Install and maintain a firewall configuration to protect cardholder data.
• Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect cardholder data.

• Encrypt transmission of cardholder data across open, public networks.
• Protect stored cardholder data.

Maintain a vulnerability management program.

• Use and regularly update anti-virus software or programs.
• Develop and maintain secure systems and applications.

Implement strong access control measures.

• Restrict access to cardholder data by business need-to-know.
• Assign a unique ID to each person with computer access.
• Restrict physical access to cardholder data.

Regularly monitor and test networks.

• Track and monitor all access to network resources and cardholder data.
• Regularly test security systems and processes.

Maintain an information security policy.

• Maintain a policy that addresses information security for employees and contractors.

Merchants that violate these rules can expect to pay. Following a data breach, fines are initially levied on the merchant's bank, which may then pass on those costs to the merchant.  

However, merchants that lose cardholder data may have bigger concerns: "Fines are generally the least of your problems if you suffer a breach," Russo says. That's because under state data breach notification laws, companies that fail to protect their customers' data must acknowledge the theft. "There is a very good chance those customers will walk from your business," Russo says. "We're talking about very real damages at that point because your business goes away." 

Rather than simply placing an unfair burden on merchants, PCI DSS therefore offers a necessary way to keep their customers -- and their business -- safe.  

In an era when airline passengers must endure intrusive screening procedures before boarding a flight, "you really can't do anything nowadays without security in some shape of form," Russo says.

Published: February 3,2023