PCI DSS – the Payment Card Industry Data Security Standard
PCI DSS stands for Payment Card Industry Data Security Standard. This is a global security standard for credit card data. PCI DSS was developed by the PCI Security Standards Council (PCI SSC), a consortium of credit card companies Mastercard, Visa Inc, American Express, JCB International and Discover Financial Services, to protect online merchants as well as end customers from fraudulent attacks, card misuse and theft when making credit card payments on the Internet.
All founding members of the PCI SSC have committed to integrating the Payment Card Industry Data Security Standard as a technical requirement in their respective data security compliance programs. Thus, the PCI DSS also applies to all service providers and companies that use Visa, Mastercard & Co. credit card processing.
The PCI DSS is mandatory for all institutions that store, transmit or process credit card data. PCI compliance is validated by a Qualified Security Assessor (QSA), an Internal Security Assessor (ISA) or a Self-Assessment Questionnaire (SAQ). The latter applies to companies that process data of this type only in small quantities.
Thus, all online store operators and e-commerce companies that wish to offer credit card payment are also subject to these compliance regulations. Own certification is very cost-intensive and can quickly cost up to a five-digit sum. Since the technical implementation of the criteria is also very complex and certification is rarely worthwhile for an individual store, the most common route is via a payment service provider, which provides PCI DSS-compliant payment plug-ins, among other things.
Consequences of a missing PCI DSS certification
PCI DSS conformity or PCI DSS compliance is a global standard. While it is not required by law, all countries have more or less similar regulation regarding cardholder data. If companies do not comply with this standard, this leads in most cases to hefty fines from the acquirer.
There is also a risk that online merchants will lose their permission to accept payments by credit card. Those who are affected will probably never be able to accept card payments again, as no other acquirer is likely to sign an acceptance agreement. Again, if merchant systems have been breached and PCI certification was not available, the affected merchant will usually receive a mandatory requirement to undergo Level 1 PCI certification. The costs incurred for this can amount to several thousand euros and are due anew every year, because from this point on, the merchant’s own systems must be audited at regular intervals.
What needs to be done to become PCI DSS compliant
So being PCI DSS compliant means taking appropriate measures to protect the data in question from cyber theft and fraudulent use. This point has further implications for businesses: A successful cyber attack can have momentous consequences for them, such as the potential loss of revenue, customers, reputation and trust. Against this backdrop, it is more important than ever to take responsibility for customer data and ensure that it is adequately protected.
Ideally, a payment service provider with PCI DSS certification at the highest level enables effortless connectivity to a PCI-compliant platform with existing forms and checkout pages. As a result, online merchants never come into direct contact with their customers’ credit card data, because both processing and – if required – storage are only carried out by the payment service provider.
PCI-DSS security requirements at a glance
- Encrypted transmission of sensitive data of credit card holders in public networks
- Continuous monitoring and logging of all access to credit cardholder data
- Installing, setting up, and regularly updating a firewall to protect cardholder data
- Development and use of secure systems and applications and their regular maintenance
- Protecting stored cardholder data: No unnecessary storage of transaction and credit card data (card number, CVC2, etc.)
- Not using but changing system passwords and other security parameters provided by suppliers/manufacturers in the factory state
- Protecting all systems from malware by using and regularly updating antivirus software
- Implementing and adhering to policies related to information security.
- Assigning unique user identifiers to all individuals with access to a computer system and cardholder data
- Restricting data access on a “need to know” basis
- Ongoing monitoring and periodic testing of security systems and processes
- Restricting physical access to cardholder data.
- Payment Processing
- Marketplace & Affiliates
- Automated Invoicing
- Membership & Subscriptions
- MOTO & Pay-by-link
- Instant Plugins
- Payment Processing