IT Channel Explained

Payment Card Industry Data Security Standard (PCI-DSS)

By Yuval Shavit, Features Writer

The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security guidelines established by a consortium of major credit card companies that merchants who process credit cards must follow. The consortium considers the 12-item PCI-DSS requirements list, which mostly deals with encryption and network security, a minimum baseline.

Many security experts view the guidelines as general practices that companies should have already implemented, regardless of PCI-DSS. Still, security resellers can provide value by ensuring that clients' specific policies are in compliance with the standard.

Resellers can also become PCI-DSS auditors (Approved Scanning Vendors or Qualified Security Assessors), either directly or by reselling auditing services. In this case, they are required to demonstrate an

PCI-DSS compliance resources for resellers and service providers
Learn more about the business opportunities created by PCI-DSS compliance in our PCI Compliance Guide for Service Providers
ability to perform audits independently and objectively. Auditors must disclose if they helped configure or deploy a client's network, and they cannot use their status as auditors to pitch extra, non-PCI-DSS services or omit suggestions for upgrades that they do not offer.

Although PCI-DSS defines security measures for companies that accept credit cards, it does not define how those companies are monitored for compliance or what penalties they face for failing to meet the standards. Individual credit card companies are responsible for setting those rules, and penalties can range from fines to suspension of the ability to accept credit cards.

The PCI-DSS standards are maintained by the PCI Security Standards Council LLC (PCI SSC), which was founded in September 2006 by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International. Its current version is 1.1, which was released with the formation of the council.

Compliance is evaluated by self-diagnostics, remote network scans administered by Approved Scanning Vendors (ASVs), and on-site audits by Qualified Security Assessors (QSAs), depending on each credit card company's requirements. The PCI SSC is responsible for certifying ASVs and QSAs.

The five members of the PCI SSC each have very different standards for ensuring compliance with PCI-DSS. American Express, MasterCard and Visa define merchant levels based on the number of transactions a merchant handles annually and require at least a quarterly scan by an ASV, although lower-level merchants may not need to formally report their findings. The definitions of merchant levels differ from company to company. These companies also require annual, on-site audits by QSAs for top-level merchants.

Discover and JCB strongly suggest that merchants be compliant but do not have details about their compliance programs published on their Web sites. SearchITChannel.com was unable to contact JCB, and a spokesperson at Discover declined to provide specifics about that company's policies.


This was first published in December 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: