Switch to mobile version. Top

Business

Securing payment card data

Payment card industry data security standard and sensitive card data

Payment Card Industry Data Security Standard (PCI DSS) is the main document which defines payment card data security principles. In 2004 biggest international card schemes VISA International, MasterCard Worldwide, American Express, Discovery Financial Services and JCB International jointed their forces and efforts to protect payment card data and established Payment Card Industry Security Standards Council (PCI SSC) which released firs version of PCI DSS later that year. Payment Card Industry Data Security Standard is a live, evolving set of rules and recommendations which is changing constantly to address most recent threats and risk to card data. Latest standard version.

PCI DSS applies to all entities involved in payment card processing (i.e. merchants). PCI DSS also applies to all other entities that store, process, or transmit cardholder data and/or sensitive authentication data.

Cardholder data and/or sensitive authentication data

  Data Element Storage Permitted Render Stored Data Unreadable
Cardholder Data Primary Account Number (PAN) Yes Yes*
Cardholder Name Yes No
Service Code Yes No
Expiration Date Yes No
Sensitive Authentication Data Full Track Data (Full track data from the magnetic stripe, equivalent data on the chip, or elsewhere) No
CVV22/CVC2 No
PIN/PIN Block No

* Standard requires that the PAN must be rendered unreadable.

Sensitive authentication data must not be stored after authorization, even if encrypted. This applies even where there is no PAN in the environment. Organizations should contact their acquirer or the individual payment brands directly to understand whether SAD is permitted to be stored prior to authorization, for how long, and any related usage and protection requirements.

The standard includes high level 12 requirements. There are six main goals which are aimed to be achived if merchant adhere to all standard requirements.

PCI DSS requirements and goals

Goals PCI DSS Requirements
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel

 

Contact

  • Private customers
    +370 5 268 2800
    (I–V 8.00–20.00) 
  • Business customers

    +370 5 268 2822
    (I–V 8.00–17.00)
S|E|B

Attention! Your web browser does not correspond to the requirements needed to visit SEB website. Please change web browser or device that you use for browsing the site.

Attention! Your web browser does not correspond to the requirements needed to visit SEB website. Please change web browser or device that you use for browsing the site.