PCI-DSS Brief History:
The Payment Card Industry Data Security Standard (PCI-DSS) is the standard for the security and protection of cardholder data globally. In the early 2000s, Visa, the leading brand in the industry, led the way in defining a Cardholder Information Security Program, which became a de facto standard for other card brands.
By 2004, the major card brands agreed on a common set of security standards that were based on the Visa program. And in 2006, they created the Payment Card Industry Security Standard Council (PCI SSC), an independent governing board comprised of five major card brands: Visa, MasterCard, American Express, Discover Financia
Services, and JCB International. The Council issues and updates the PCI DSS and publishes other standards associated with the payment card/payment acceptance industry.
Who must be compliant?
The major credit card brands require PCI DSS compliance by all businesses that are involved in the transmission, processing, or storage of payment card data, including merchants and third-party service providers that may impact the security of the data. Merchants - Any entity that accepts payment cards from any of the five PCI SSC members as payment for goods and/or services.
Merchants include traditional brick and mortar establishments, e-commerce vendors, and other services such as mobile payment systems, taxi cabs, hotels, flea market vendors, and corporate e-stores. In short, any organization that accepts credit cards is subject to PCI. The number of vendors is staggering; the number of merchants using Visa is up to 6 million and growing every day. Compliance is monitored by the merchant’s acquiring bank.
Service Provider – A business entity that is not a payment brand but that is directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity.
These companies are typically in between merchants and banks and may not even realize that they are involved in security of the cardholder data environment (CDE). For example, this includes companies providing “redirect” payment services, such as PayPal Pro and CyberSource.
Compliance is monitored by the card brands. These businesses must demonstrate that compliance on an annual basis.
How to be compliant?
Large companies – both merchants and service providers – must validate compliance by having an independent assessment performed either by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA). The assessor uses the Report on Compliance Reporting Template to document and validate the compliance assessment.
Every other company (small merchants) that is subject to PCI DSS compliance is required to self-assess using the appropriate Self-Assessment Questionnaire. For the majority of companies that must do self-assessment questionnaires, they are left on their own to interpret the requirements and to complete the questionnaire with guidance only from the PCI DSS standards. Consequently, an attitude may develop that thinks of PCI compliance as just another audit; after completing one audit, that information is fine for the next audit. This attitude reflects a desire to reduce the burden of PCI DSS compliance. But that’s missing the point; the overarching principle is that you have to secure your environment and your data, not just fulfill PCI compliance with minimal effort.
The Council manages programs that will help facilitate the assessment of compliance with PCI DSS: Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). QSAs are approved by the Council to assess compliance with the PCI DSS. ASVs are approved by the Council to validate adherence to the PCI DSS scan requirements by performing vulnerability scans of Internet facing
environments of merchants and service providers.
Additional details can be found on PCI SSC Web site.
The Self-Assessment Questionnaire (SAQ) is a validation tool for eligible organizations who self-assess their PCI DSS compliance and who are not required to submit a Report on Compliance (ROC). Different SAQs are available for various business environments; more details can be found on the PCI Security Standards Council website.
An organization’s acquiring financial institution or payment brand can also determine if you should complete a SAQ.