Payment card industry data security standard and sensitive card data
Payment Card Industry Data Security Standard (PCI DSS) is the main document which defines payment card data security principles. In 2004 biggest international card schemes VISA International, MasterCard Worldwide, American Express, Discovery Financial Services and JCB International jointed their forces and efforts to protect payment card data and established Payment Card Industry Security Standards Council (PCI SSC) which released firs version of PCI DSS later that year. Payment Card Industry Data Security Standard is a live, evolving set of rules and recommendations which is changing constantly to address most recent threats and risk to card data.
PCI DSS applies to all entities involved in payment card processing (i.e. merchants). PCI DSS also applies to all other entities that store, process, or transmit cardholder data and/or sensitive authentication data.
Cardholder data and/or sensitive authentication data
|Data||Data Element||Storage Permitted||Render Stored Data Unreadable|
|Primary Account Number (PAN)||Yes||Yes*|
Sensitive Authentication Data
|Full Track Data (Full track data from the magnetic stripe, equivalent data on the chip, or elsewhere)||No||–|
* Standard requires that the PAN must be rendered unreadable.
Sensitive authentication data must not be stored after authorization, even if encrypted. This applies even where there is no PAN in the environment. Organizations should contact their acquirer or the individual payment brands directly to understand whether SAD is permitted to be stored prior to authorization, for how long, and any related usage and protection requirements.
The standard includes high level 12 requirements. There are six main goals which are aimed to be archived if merchant adhere to all standard requirements.
PCI DSS requirements and goals
|Goal||PCI DSS Requirements|
Build and Maintain a Secure Network
|1. Install and maintain a firewall configuration to protect cardholder data|
|2. Do not use vendor-supplied defaults for system passwords and other security parameters|
Protect Cardholder Data
|3. Protect stored cardholder data|
|4. Encrypt transmission of cardholder data across open, public networks|
Maintain a Vulnerability Management Program
|5. Protect all systems against malware and regularly update anti-virus software or programs|
|6. Develop and maintain secure systems and applications|
Implement Strong Access Control Measures
|7. Restrict access to cardholder data by business need-to-know|
|8. Identify and authenticate access to system components|
|9. Restrict physical access to cardholder data|
Regularly Monitor and Test Networks
|10. Track and monitor all access to network resources and cardholder data|
|11. Regularly test security systems and processes|
Maintain an Information Security Policy
|12. Maintain a policy that addresses information security for all personnel|