Guide to PCI DSS – Part 1: What is PCI DSS?

Welcome to SandStorm IT’s 6-part series about Payment Card Industry Data Security Standard (PCI DSS). In this series, we’ll cover what PCI DSS is and the various requirements:

• Part 1 – What is PCI DSS? (You are here)
• Part 2- Building and Maintaining a Secure Network
• Part 3 – Protecting Data
• Part 4 – Further Protection on Systems (Coming Soon)
• Part 5 – Access Control (Coming Soon)
• Part 6 – Wrap-up (Coming Soon)

Payment Card Industry Data Security Standard (PCI DSS) is a set of policies and procedures intended to protect credit card transactions and sensitive cardholder data. According to PrivacyRights.org, more than 898 million records were breached from 4,823 breaches between January 2005 and April 2016.

It is the responsibility of every business that handles credit card transactions to use standard procedures and technologies to protect cardholder data.  Vulnerabilities can appear almost anywhere; some areas of concern are:

• Point-Of-Sale Devices
• Mobile Devices
• Personal Computers
• Servers
• Applications
• Paper (Physical)
• Transmission Methods

Compliance with PCI DSS is enforced by the founding members: American Express, Discover, JCB, MasterCard and Visa.

The credit card brands have multiple levels of PCI DSS requirements for their merchants. Typically, smaller businesses will be permitted to fulfill a Self-Assessment Questionnaire (SAQ) while larger businesses may be required to provide a Report on Compliance (ROC). Different SAQs are available for various business environments. Things like card-not-present merchants or merchants using standalone payment terminals come into play when determining what SAQ version is required.  If you are required to submit a ROC, this will have to be done by a Qualified Security Assessor (QSA).

Enforcement of PCI DSS comes in the way of fines from the credit card brands. They come in multiple flavors and sizes from higher per-transaction costs to flat out extra fees, sometimes six figures or more.

Even if you are not bound to PCI DSS requirements by a credit card brand, following PCI DSS standards will help protect your business.  Many of the requirements are just good practice.

This post is part one of a six-part series, summarizing each of the 12 key areas of PCI DSS. The goal of this series is to provide a basic introduction to PCI compliance.

SandStorm is not an approved scanning vendor and can not provide a “Report on Compliance”. However, we can help with remediation and implement procedures, systems, and guidance that will help you be ready. For more information, please contact SandStorm IT at 901-475-0275.