PCI DSS

PCI DSS is a set of requirements for payment account data security, and is vital if you handle any type of credit card data within your organization. It is important to note that changes have recently been made around PCI DSS.

It is important that you reevaluate your current processes to ensure that you are still meeting requirements.

Cyber security is designed to protect computer assets, including:

Computing infrastructure: is a fundamental part for the storage and management of information, as well as for the operation of the organization itself. The role of computer security in this area is to ensure that equipment functions correctly and to anticipate failures, theft, fires, sabotage, natural disasters, power outages and any other factor that threatens the computer infrastructure.

Users: are the people who use the technological structure, the communications area and those who manage the information. The system in general must be protected so that its use cannot jeopardize the security of the information and that the information they manage or store is vulnerable.

Information: this is the main asset. It uses and resides in the computing infrastructure and is used by users.

The Payment Card Industry Data Security Standard (PCI DSS) is an internationally recognized information security standard designed specifically to apply to organizations that handle credit card data.

PCI DSS was created with a simple goal: to ensure that businesses can process credit and debit card payments securely, protecting businesses and consumers and reducing the likelihood of card fraud.

PCI QSAs (PCI Qualified Security Assessors) are individuals certified to evaluate merchants and service providers against the standard, and provide a formal Report of Compliance (ROC).

PCI CONCEPTS

Since 2005, more than 11 billion customer records have been exposed due to more than 8,500 data breaches.

To improve the security of consumer data and trust in the payments ecosystem, a basic regulation for data security was created. In 2006, Visa, Mastercard, American Express, Discover and JCB formed the Payment Card Industry Security Standards Council (PCI SSC) to administer and manage companies' security standards. that handle credit card data.

Before the creation of the council, these five credit card companies had their own programs with security standards, although they all shared fairly similar requirements and objectives. In order to adopt unified standards, they joined together in the PCI SSC and established the PCI Data Security Standards (known as the “PCI regulation”) to ensure minimum protection for consumers and banks in the age from Internet.

CI DSS is the international security standard for all entities that store, process or transmit cardholder data or private authentication data. PCI DSS establishes a basic standard of protection for consumers and helps reduce fraud and data breaches within the entire payments ecosystem. It applies to any company or organization that accepts or processes payment card data.

PCI DSS compliance revolves around three main components:

Manage the receipt of consumer credit card data, that is, collect and transmit private card data securely

Store data securely as described in the 12 PCI security domains (for example, using encryption, continuously monitoring data, and verifying the security of access to card data)

Annually validate the operation of necessary security controls, which may involve forms, questionnaires, external vulnerability scanning services, and third-party audits

Regardless of how card data is accepted, every business must complete a PCI-compliant validation form annually. This process of validating compliance with PCI regulations depends on several factors (we have described them below). Here are three cases in which a company might be asked to demonstrate PCI compliance:

Payment processors may request this as part of their notification processes to card brands (it is a requirement for payment processors).

Business partners can request it as a prerequisite to signing a business agreement.

If the business can be considered a platform (that is, if its technology facilitates transactions between users), its users can request it to demonstrate to their customers that they manage data securely.

The latest set of security standards, PCI DSS version 3.2.1, includes 12 core requirements with more than 300 subrequirements that reflect security best practices.