Every organisation aiming to achieve PCI DSS compliance has an area of common concern;...
The Payment Card Industry Data Security Standard (PCI DSS) was discovered in 2004, which was around the time when companies all around the world realised how valuable the internet was as a tool. As the internet era reached its maturity, companies started leveraging it as a means to receive payments from their customers online.
As this feature became commonplace amongst consumer behaviour, an increasing number of people became comfortable making purchases online via their credit cards. Although the ability to make payments online was seen as a convenience it made businesses and customers alike extremely vulnerable to a plethora of risks - malicious actors had more ways to steal credit card information from unaware prey whose networks hadn’t been secured.
The Birth of PCI DSS
As data theft reached an all-time high, the five largest credit card brands; VISA, Mastercard, Discover, American Express and JCB chose to implement the Payment Card Industry Data Security Standard (PCI DSS) to help prevent customer and business security breaches. With the birth of this regulation and the PCI Security Standards Council - the PCI Compliance became an important step towards securing credit card payments all around the world.
The PCI Security Standard Council
To assist in monitoring compliance standards, the payment brands established the PCI Security Standard Council, whose responsibility was to manage the ongoing evolution of the Payment Card Industry Security Standard.
The PCI Compliance soon became a self-regulated mandate meaning that organisations and sellers now are liable for maintaining compliance through all stages of the payment process. The credit card companies made PCI Compliance a self-regulated mandate, which meant organisations and sellers were responsible for maintaining compliance through every stage of the payment process.
So while the council sets the standards and requirements, it became the payment brand’s responsibility to enforce them on sellers and organisations that chose to receive payments via their credit cards.
What is PCI DSS Compliance?
If you are an organisation that accepts, processes, transmits or stores credit card payments from customers, you’re required to comply with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS compliance ensures organisations secure cardholder data from a potential data breach. It is not one-off compliance, but an ongoing process of ensuring an organisation has the necessary structures in place to protect customer data.
What kind of data can be stolen from a credit card?
Cardholder or payment data is at stake if your organisation isn’t compliant with the PCI Data Security Standard, this data includes:
- The Primary Account Number or ‘PAN’ number
- Cardholder's name
- Credit Card service code and expiry date
- Sensitive Authentication Data (Full track data, CAV2/CVC2/CVV2/CID, PINs/PIN block)
How can this data be stolen?
If your organisation is required to store the above sensitive data, it is extremely important to make sure that you take appropriate steps to ensure the data is secured and safe from any malicious activity. To identify how your organisation may be vulnerable to any breach, it is useful to educate yourself on how these attacks may happen. Below are a few examples of how your valuable data can be stolen:
- A card reader that has been compromised by a skimming device
- A camera recording authentication data being entered into a credit card reader
- Organisation’s storing physical or digital records of cardholder data in an insecure manner
- Your wired/wireless store network being compromised
These are just a few of the ways valuable data can be stolen. As malicious actors get smarter, it is important for your organisation to level up its own efforts towards securing its payment life cycle, from accepting credit cards from customers at the point of sale to processing the payment till it reaches your merchant account.
What kind of payment channels does PCI DSS apply to
The PCI Standards applies to all entities that store, process or transmit cardholder data including:
- Card reading devices
- Point-of-sale systems
- Store networks and wireless access routers
- Payment card data storage and transmission
- Payment card data stored in paper-based records
- Online payment applications and shopping carts (e-Commerce websites)