Payment Card Industry Security Standards Council (PCI SSC) has been established by the leading international cards
organizations Visa, Mastercard, Amex, Diners, Discovery, JCB. PCI SSC had been worked out as PCI DSS rules and documents
to regulate and define card security principles and policies. PCI DSS is intended for all entities that store, process, or
transmit cardholder data and/or sensitive authentication data or could impact the security of the cardholder data environment.
This includes all entities involved in payment account processing – merchants, processors, acquirers, issuers, and other
service providers. These rules set the technical and operational requirements for organizations accepting or processing
payment transaction.
Please see the latest version of requirements and standards here
All merchants that store, process or transmit cardholder data and/or sensitive authentication data must be PCI DSS compliant.
Some PCI DSS requirements may also apply to entities with environments that do not store, process, or transmit account data –
for example, entities that outsource payment operations or management of their cardholder data environment.
Account data (card data and sensitive authentication data) elements:
|
Data Elements |
Storage Restrictions |
Required to Render Stored Data Unreadable |
Cardholder data |
|
Primary Account Number (PAN) |
Storage is kept to a minimum |
Yes Standard requires that the PAN must be rendered unreadable |
|
Cardholder Name |
Storage is kept to a minimum |
No |
|
Service Code |
Storage is kept to a minimum |
No |
|
Expiration Date |
Storage is kept to a minimum |
No |
Sensitive Authentication Data Sensitive authentication data must not be stored after authorisation, (even if encrypted) |
|
Full Track Data Full track data from the magnetic stripe, equivalent data on the chip, or elsewhere |
Cannot be stored after authorization |
Yes, data stored until authorization is complete must be protected with strong cryptography |
|
Card verification code (CVV2/CVC2) The three or four-digit value printed on the front or back of a payment card |
Cannot be stored after authorization |
Yes, data stored until authorization is complete must be protected with strong cryptography |
|
PIN/PIN Block Personal Identification Number entered by cardholder during a transaction, and/or encrypted PIN block present within the transaction message |
Cannot be stored after authorization |
Yes, data stored until authorization is complete must be protected with strong cryptography |
How to be sure that you are compliant with PCI DSS requirements?
We inform merchants once per year via e-mail what kind of action must be taken to comply with PCI DSS. Requirements are
presented in the table below.
Merchants are categorized into 4 levels based on the annual number of card payment transactions by one card brand (i.e.,
MC, VISA, Amex etc.). Level 1- Level 3 merchants are required to report their compliance status and Level 4 merchants are
required to report filled SAQ directly to their bank.
Keep in mind, that you’ll need to perform:
- Security audit, that is made by a certified auditor acting as Qualified Security Assessor (QSA) at the legal entities, who are presented on the PCI DSS official website.
- Scanning of the network, that is made by a qualified net scanning vendor acting as Approved Scanning Vendor (ASV) or Qualified Security Assessor (QSA). ASV can conduct a scanning procedure for in-store and online merchants but have no rights to perform annual audits.
- Internal audit, during which questions in SAQ (Self-Assessment Questionnaire) have to be answered. The questionnaire content depends on technical solution.
PCI DSS requirements and goals
The 12 requirements and goals in the table below will help you to understand what important actions must be performed to be compliant with PCI DSS rules.
Goals |
PCI DSS Requirements |
Build and maintain a secure network and system |
1. Install and maintain network security controls.
2. Apply secure configurations to all system components.
|
Protect cardholder data |
3. Protect stored account data.
4. Protect cardholder data with strong cryptography during transmission over open, public networks.
|
Maintain a vulnerability managemenet program |
5. Protect all systems and networks from malicious software.
6. Develop and maintain secure systems and software.
|
Implement strong access control measures |
7. Restrict access to system components and cardholder data by business need-to-know.
8. Identify users and authenticate access to system components.
9. Restrict physical access to cardholder data.
|
Regularly monitor and test networks |
10. Log and monitor all access to system components and cardholder data.
11. Test security systems and networks regularly.
|
Maintain an information security policy |
12. Support information security with organizational policies and programs. |
For more information please visit https://www.pcisecuritystandards.org/