By: Nihad Hassan
October 12, 2021
What Is Payment Card Industry Data Security Standard?
By: Nihad Hassan
October 12, 2021
In today's digital age, people increasingly use the internet to conduct most of their daily activities. People use the internet to work, study, socialize, entertainment, online shopping, and banking. Most services and products are now available for sale online. Paying for these services/products is mainly done using credit card payment methods.
Credit card payment is very important, not just for customers but also for businesses. Using credit cards gives a clear sign of continual economic growth and the prospering of a country. For instance, cash payment is suitable for face-to-face transactions, while bank checks take time to process. Credit cards and other online payment methods are considered the best to handle transactions in the internet marketplace.
In recent years, attacks against credit card payments have become too familiar, beginning with data breaches, identity theft, and ending with credit card fraud. Cybercriminals know the importance of card payments in today's digital economy, which also increased during the COVID-19 pandemic. According to unctad, the pandemic has accelerated the shift towards a more digital world and increased the number of online shoppers by nearly 50%, compared with the year before the pandemic.
To protect online merchants and credit cardholder's data, the PCI DSS standard was developed. The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards created to ensure that all organizations accepting credit card payments follow proper security measures when taking, storing, processing, or transmitting credit card information.
PCI DSS helps companies reduce the risk of credit card data loss, suggests different methods to prevent and detect attacks against credit card information, and describes how to react if a data breach occurs.
Launched in 2006, the PCI SSC is an independent entity created by the major payment card companies (Visa, MasterCard, American Express, Discover, and JCB.), responsible for administering and managing the PCI DSS standards. It is good to note that the PCI SSC is not responsible for enforcing PCI compliance as card payment companies' duty. An official copy of the PCI DSS official standard and other supporting documents can be found here: https://www.pcisecuritystandards.org/document_library
The PCI DSS standard applies to any organization, regardless of its size and number of employees that accept, transmit or store credit card holders' data. PCI DSS is also applicable to the following cases involving credit card payments:
The PCI DSS standard also details business owners' compliance responsibilities when taking credit card information over the phone (e.g., in a call center). Handling such a case is detailed here.
If an organization uses a third-party provider to process its credit card payment, this does not exclude it from the PCI compliance requirements. Although it will somehow shortcut some of its responsibilities when validating compliance, it remains subject to PCI DSS requirements.
The subject organization needs to be PCI compliant even though it does not store credit card details internally, as long it accepts credit card payments.
The debit card transactions, including any prepaid card, are subject to the PCI DSS, as long as it belongs to one of the following brands participating in the PCI SSC: American Express, Discover, JCB, MasterCard, and Visa International.
What is meant by cardholder data?
We already mentioned the term "cardholder." According to the PCI SSC, cardholder information includes full Primary Account Number (PAN) or the full PAN associated with any of the following pieces of information:
- Cardholder name
- Expiration date
- Service code
How to become PCI compliant?
To become PCI compliant, an organization needs to adhere to auditing procedures to comply with the PCI DSS requirements. Deciding the compliance level depends on the number of executed online transactions per year. There are four PCI compliance levels:
- Level 1: Online merchants that process over 6 million card transactions yearly.
- Level 2: Online merchants that process 1 to 6 million transactions yearly.
- Level 3: Online merchants that process 20,000 to 1 million transactions yearly.
- Level 4: Online merchants that process fewer than 20,000 transactions yearly.
PCI compliance applies to both the administrative and the technological side of the subject organization and is updated regularly. PCI is an ongoing process that needs to be followed through all the card payment processes' life cycles. An organization needs to check its website and web applications to ensure they are secure and there is no risk associated with conducting online payment through them.
For any organization running its business online, security is a vital issue to consider. Proper security protection mechanisms should be in place to protect the confidentiality of customers' payments information. Revealing such information to unauthorized parties (as a result of a data breach) can have catastrophic consequences on business profit and reputation. PCI DSS helps a business enhance customer security and increase a business reputation as a PCI DSS compliant entity.