The Payment Card Industry Security Standards Council was established in 2004 as an alignment of individual data security programs operated by Visa, MasterCard, American Express, Discover and JCB. The council developed the Payment Card Industry Data Security Standard (PCI DSS) to promote “cardholder data security and facilitate the broad adoption of consistent data security measures globally.”

The five payment brands and other large members help govern the council and share responsibility for fulfilling the mission of the organization. “Other industry stakeholders are encouraged to join the Council as Strategic or Affiliate members and Participating Organizations to review proposed additions or modifications to the standards. Participating Organizations may include merchants, banks, processors, hardware and software developers, and point-of-sale vendors.”

According to the council’s site, PCI DSS provides a baseline of technical and operational requirements designed to protect account data.

PCI DSS 3.2

The council updated PCI DSS over the years and has been using version 3.2 since April 2016. The latest standards address old risks and new exploitations while providing enhanced clarity for implementing and maintaining security. These standards resulted from feedback provided by the council’s 700-plus Participating Organizations in conjunction with reports of data breaches and changes in payment acceptance. Annual dues for Participating Organizations are $3,750.

Assessment and Certification of Data Security

Companies wishing to be certified with PCI DSS 3.2 must first fulfill PCI requirements, then agree to testing and auditing by a Qualified Security Assessor (QSA).

The main requirements are as follows:

Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Protect all systems against malware and regularly update anti-virus software or programs
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need to know
Identify and authenticate access to system components
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security for all personnel

Each of the above principal requirements is further subdivided into numerous subsections receiving extensive testing by the auditor. For example, requirement one contains a total of 37 subsections ending with §1.3.7.b and its testing procedure: “Interview personnel and examine documentation to verify that any disclosure of private IP addresses and routing information to external entities is authorized.” Further requirements and auditing are defined in Appendixes A, B, C and D.

Results

The audit results are filed in a Report on Compliance (ROC) and Attestation of Compliance (AOC). Part 3. PCI DSS Validation of the Service Provider AOC contains language confirming a successful audit:

“Compliant: All sections of the PCI DSS ROC are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby (Service Provider Company Name) has demonstrated full compliance with the PCI DSS.”

KirkpatrickPrice, a licensed CPA and PCI QSA firm, completed its audit of Optio Solutions in late 2016 and confirmed “full compliance” of PCI DSS 3.2 pursuant the PCI Security Standards Council.

About the author

Joe Gargiulo

Marketing and Communications Mgr. Joe Gargiulo has 25-plus years in copy writing, marketing and public relations. As a writer, he enjoys connecting story leads to all aspects of the human experience.