The Payment Card Industry Data Standard (PCI DSS) is a standard for information security for organizations that handle and manage branded credit cards and provide other kinds of payment services. It is absolutely necessary to have PCI standard by the card brands and it is administered by the Payment Card Industry Security Standards Council. This information security standard was created to increase control and security and reduce credit card frauds.
PCI compliance is checked annually and could be validated by the external Qualified Security Assessor (QSA) or by a specific Internal Security Assessor (ISA). ISA creates a Report on Compliance for organizations that handle large millions of transactions or by Self-Assessment Questionnaire (SAQ) for the companies that handle fewer amounts of transactions.
A brief history of PCI DSS:
Card companies started five different programs as follows:
- Visa’s Cardholder Information Security Program
- MasterCard’s Site Data Protection
- American Express’s Data Security Operating Policy
- Discover’s Information Security and Compliance
- The JCB’s Data Security Program
The vision for each of the five programs was basically similar. The goal was to create different levels of protection for card issuers by making sure that merchants and clients have to go through minimum shades of security when they enter, store, process, and transmit their data. To serve and sort out the interoperability problems, efforts were made by the principal credit card organizations and companies, which lead to the release of version 1.0 of PCI DSS in December 2004. The information security standard known as DCI has been implemented and integrated across the globe.
There are many companies grouped together to form The Payment Card Industry Security Standards Council (PCI DSS). American Express, MasterCard, Visa, JCB International, etc laid the foundation of PCI DSS in September 2006. It was set up as a governing entity which licenses the development of this information security standard. If an independent or private organization wants to participate in PCI, it can so. But first it has to do the proper registration. Each organization whether independent or private has to join SIG, Special Interest Group, and follows the protocol laid out by the SIG.
Over the years since 2006, there have been many versions of PCI DSS. New technology and innovation leads to the advanced version of the PCI.
Versions of PCI DSS since its beginning:
- 0 – released on 15th of December, 2004
- 1 – released in September 2006
- 2 – released on 1st of October, 2008. The clarity was enhanced and flexibility was improved.
- 2.1 – released in August 2009. Minor corrections were made to create clarity.
- 0 – released in October 2010
- 0 – released in November 2013.
- 1 – released in April 2015
- 2 – released in April 2016
- 2 – released in April 2016
- 2.1 – released in May 2018
Requirements of an information security standard:
There are six control objectives maintained by the PCI Data Security Standard.
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regulatory Monitor and Test Measures