PCI-DSS : Payment Card Industry Data Security Standard

PCI-DSS : Payment Card Industry Data Security Standard:

What is PCI-DSS ?

PCI-DSS Stands for Payment Card Industry Data Security Standard, PCI DSS is a standard that all organizations, including online retailers, must follow when storing, processing and transmitting their customer's credit or debit card data.


There had been different data security programs run by Visa, Master Card, American Express, Discover, JCB. The intentions of each were roughly similar to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process, and transmit cardholder data. To cater out the interoperability problems among the existing standards, the combined effort made by the principal credit card organizations resulted in the release of version 1.0 of PCI DSS in December 2004. PCI DSS has been implemented and followed across the globe.

MasterCard, American Express, Visa, JCB International & Discover Financial Services aligned their individual policies to create PCI-DSS and established the PCI-SSC in September 2006 as an administration/governing entity which mandates the evolution and development of PCI DSS. First Version of PCI-DSS was released on December 15,2004, Latest version is 3.2.1 released in May 2018.

Who needs to be PCI-DSS Compliant ?

The PCI DSS applies to any merchant or service provider that handles, processes, stores or transmits Credit Card or Debit Card data.

a. Merchant :

For merchants, the PCI Security Standards Council has provided on-your-honor compliance validation tools in the form of Self Assessment Questionnaires (SAQ's). There are four SAQ's: A, B, C and D. The SAQ's were designed to accommodate both different business types, i.e. restaurant/ecommerce, and different business processing methods, i.e. merchant does/does not handle, process or store Credit Card and Debit Card data. Larger merchants who are processing millions of transactions per year are required to have an onsite audit conducted by a Qualified Security Assessor (QSA).

Here are two examples of how a merchant would choose a particular SAQ:

If an ecommerce merchant accepts Credit/Debit card payment via their website and then stores the Credit/ Debit card information for future purchases, they would be required to fill out the SAQ D, or the long form as it's known, because they are handling, processing and storing Credit/Debit card data. SAQ D includes the full ~250 controls in the PCI DSS Standard and requires the greatest amount of time, energy and money.

Conversely, if an ecommerce merchant only accepts Credit/ Debit card payment via their website and does not handle, process and store Credit/Debit card data by using an API or a hosted page, the merchant can qualify for the SAQ A, the shortest of the four. It includes roughly 20 controls and can be completed very quickly. In addition to this SAQ, sometimes processors and QSA's / processors or QSA's will also require that the merchant sign up for a scanning service of outward facing IP addresses - even though there is no Credit/Debit Card data present to be stolen.

It is important to note in this second example that if this merchant accepts Credit/Debit Card payments over the phone, in addition to the website, they will no longer qualify for short form SAQ A because they are now processing, transmitting and potentially storing Credit/ Debit Card data in their environment. They will instead be required to fill out the SAQ C.

b. Service Providers :

Like merchants, any business that processes, handles or stores Credit/Debit Card data on behalf of a merchant is required to be PCI DSS Compliant. Visa maintains a list of Global PCI DSS Validated Service Providers on their website. Merchants are required to make sure their provider has been validated as PCI DSS Compliant. Achieving the Level 1 compliance requires an onsite audit by a Qualified Security Assessor.

Goals and Requirements of PCI-DSS that needs to be meet by Merchants and Service Providers:

GoalsPCI-DSS Requirements
Build and Maintain a Secure Network

Install and maintain a firewall configuration to protect cardholder data

Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Protect stored cardholder data

Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Use and regularly update anti-virus software or program

Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Restrict access to cardholder data by business need to know

Assign a unique ID to each person with computer access

Restrict physical access to cardholder data

Regular Monitor and Test Networks

Track and monitor all access to network resources and cardholder data

Regularly test security systems and processes

Maintain an Information Security PolicyMaintain a policy that addresses information security for all personnel

Benefits of PCI-DSS :

  • Reduces the Risk of a Data Breach
  • Helps to Avoid Fines
  • Protects Customers
  • Improves Brand Reputation
  • Imparts a Mindset of Security
  • Serves as a Globally Accepted Standard

We TUV India Pvt Ltd (TUV NORD GROUP) provide complete support on PCI-DSS assessment through our Highly Qualified, Competent and Industry experienced QSA (Qualified Security Assessor, designation conferred by the PCI Security Standards Council)


About The Author

Parag SapkarExecutive - Business Development
TUV India Pvt Ltd