Introduction to PCI DSS: Payment Card Industry Data Security Standard

A month ago took place in Madrid a new edition of the seminar “Recent developments in Payment Systems“. A seminar organized by “Athena Interactive”, where were discussed some of the most important aspects of payment systems currently in operation.

One of the issues that was raised more comments was the complexity to obtain the lists of companies audited by the organization PCI DSS, and this saw interesting enough to write an entry about the function of this organization and its most relevant characteristics.

According to his own website, “PCI Security Standards Council is an open global forum established in 2006“, whose mission is to increase the security of the card industry payment, protect the user and reduce credit card fraud .

The founding companies of this organization are American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc. These firms unified their own security requirements in a single point in order to facilitate security compliance. This organization can impose fines or even deny service to the use of credit card payment if it detects failure to comply with the rules. Currently, all of them share control of the organization and the activities related to security in the card industry payment. Also, they recognize that Qualified Security Assessor (QSA) and Approved Scanning Vendors (ASV) certified by the PCI SSC are the only people qualified to validate compliance with PCI DSS.

Companies working with card data must meet certain security requirements, both in relation to the client’s own security and the security of the company itself. These organizations face severe audits and non-compliance can result in a heavy fine.

The function of the members of the PCI Security Standards Council is to oversee and define data security standards (PCI DSS), security requirements of PIN transactions (PCI PTS) and to develop the safety standard for the application of payments (PA-DSS).

PCI Security Standards Council defines three standards, each focused on a specific area, which unify the specific requirements of each of the brands:

  • PCI DSS is the one with the broader scope. It applies to all entities involved in payment card processes and collects the technical and operational requirements developed to protect user data. Its adoption is mandatory since June 2007 and card companies may impose sanctions on any entity not passing the required audits.
  • PA DSS applies to software vendors. According to their website it “aims to help software vendors and others to develop secure payment applications that do not store forbidden data, such as full magnetic stripe data, CVV2 or PIN (Value Card Verification), and ensure their payment applications support compliance with the PCI DSS”.
  • PCI PTS applies to payment devices, defining the requirements of the manufacturing process.

In late 2010, the PCI Security Standards Council released version 2.0 of the PCI DSS and PA-DSS, responding to the need for greater understanding and flexible rules and facilitating their implementation in organizations.

In the next post I will get a little more in depth in each standard, to whom it is addressed and what changes have brought their updates to the certified companies.