The Payment Card Industry Security Standards Council was established in 2004 as an alignment of individual data security programs operated by Visa, MasterCard, American Express, Discover and JCB. The council developed the Payment Card Industry Data Security Standard (PCI DSS) to promote “cardholder data security and facilitate the broad adoption of consistent data security measures globally.”
The five payment brands and other large members help govern the council and share responsibility for fulfilling the mission of the organization. “Other industry stakeholders are encouraged to join the Council as Strategic or Affiliate members and Participating Organizations to review proposed additions or modifications to the standards. Participating Organizations may include merchants, banks, processors, hardware and software developers, and point-of-sale vendors.”
According to the council’s site, PCI DSS provides a baseline of technical and operational requirements designed to protect account data.
PCI DSS 3.2
The council updated PCI DSS over the years and has been using version 3.2 since April 2016. The latest standards address old risks and new exploitations while providing enhanced clarity for implementing and maintaining security. These standards 
resulted from feedback provided by the council’s 700-plus Participating Organizations in conjunction with reports of data breaches and changes in payment acceptance. Annual dues for Participating Organizations are $3,750.
Assessment and Certification of Data Security
Companies wishing to be certified with PCI DSS 3.2 must first fulfill PCI requirements, then agree to testing and auditing by a Qualified Security Assessor (QSA).
The main requirements are as follows:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes- Maintain a policy that addresses information security for all personnel
Regularly test security systems and processesEach of the above principal requirements is further subdivided into numerous subsections receiving extensive testing by the auditor. For example, requirement one contains a total of 37 subsections ending with §1.3.7.b and its testing procedure: “Interview personnel and examine documentation to verify that any disclosure of private IP addresses and routing information to external entities is authorized.” Further requirements and auditing are defined in Appendixes A, B, C and D.
Results
The audit results are filed in a Report on Compliance (ROC) and Attestation of Compliance (AOC). Part 3. PCI DSS Validation of the Service Provider AOC contains language confirming a successful audit:
“Compliant: All sections of the PCI DSS ROC are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby (Service Provider Company Name) has demonstrated full compliance with the PCI DSS.”
KirkpatrickPrice, a licensed CPA and PCI QSA firm, completed its audit of Optio Solutions in late 2016 and confirmed “full compliance” of PCI DSS 3.2 pursuant the PCI Security Standards Council.
Contact us today to learn more about data security and certifications at Optio Solutions.
