PCI-DSS Objectives and Requirements

Posted: March, 15, 2021 10:43AM ET • 4 min read

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards for credit, debit, and stored-value card transactions aimed at protecting cardholders against the theft and fraudulent use of their personal information. More than that, it’s a way to build long-lasting and trusting relationships between merchants and consumers.

The PCI DSS was jointly created in 2004 by American Express, Discover Financial Services, JCB International, MasterCard, and Visa, and is governed by the Payment Card Industry Security Standards Council (PCI SSC). Although the PCI SSC does not have the legal authority to compel compliance with the standards it sets out, merchants processing debit and credit card transactions must abide by them.

Objectives of the PCI DSS

The security standards set out by the PCI DSS have six major objectives in their efforts to protect cardholders against fraud:

1. Maintain a secure network: Use firewalls that are effective without unnecessarily inconveniencing cardholders or vendors. Wireless LANs are particularly vulnerable to eavesdropping, and so specialized firewalls have been developed to protect them against attacks. Hackers should also be thwarted from “guessing” at authentication data like personal identification numbers (PINs) or passwords by requiring they be changed regularly, and especially never left at vendor-supplied defaults.

2. Protect cardholder data: As a convenience to consumers, many vendors store their customers’ personal information, such as in customer accounts to be accessed repeatedly without needing to be entered repeatedly. In addition to payment card details, this can include contact information like phone numbers and mailing addresses, or authentication data like date of birth or mothers’ maiden names. Government portals may also be responsible for protecting users’ Social Insurance Numbers (SINs) in addition to payment details. Beyond issues of fraudulent purchases, much of this data can be used to perpetrate identity theft or otherwise impersonate the cardholder.

3. Thwart malware: Data storage and transmission systems must not only prevent hackers from stealing cardholder data, but protect against other forms of theft. All of the applications used in the system must be free of bugs or other vulnerabilities that could be exploited, and should have current and robust anti-virus software and anti-spyware programs. Testing for these vulnerabilities is a regular part of the PCI certification process.

4. Restrict access: Information should only be shared on a need-to-know basis, with the minimum amount of information needed to correctly and securely process a transaction. Phishing scams, where someone will impersonate a merchant or sometimes a large organization like a bank to request sensitive information, try to circumvent restricting access; public awareness campaigns making consumers aware they will never be asked for certain information via email, for example, can be very effective in reducing the incidence of data theft. Once cardholder data is stored, it must be protected both physically and electronically; this can mean avoiding duplicating files and appropriately disposing of unneeded hard copies (e.g., shredding documents and locking dumpsters), issuing unique login credentials for employees accessing sensitive information, and myriad other security measures.

5. Monitor constantly: As systems become more robust, so do efforts to penetrate them. Those responsible for protecting cardholder data must be constantly vigilant in testing their systems and monitoring their effectiveness – it’s not enough to set it up once and forget about it. All data exchanged, all applications, all random access memory, and all storage is subject to this requirement.

6. Define formal policies: With formally defined and continuously maintained policies in place, vendors and merchants subject to PCI DSS guidelines can enforce security measures through audits and penalties for non-compliance as needed.

PCI DSS Certification Requirements

The six objectives of the PCI DSS are directly supported by 12 specific requirements to become and remain PCI-compliant:

Secure network

1. Firewall: configured, installed, and maintained at every stage

2. Passwords: must be original, not vendor-supplied

Secure cardholder data

1. Data: must be protected at all levels

2. Transmission: must be encrypted across public networks

Vulnerability management

1. Anti-virus software: installed and regularly updated

2. Secure systems and application: developed and maintained

Access control

1. General access: information shared on a need-to-know basis

2. Electronic access: each user must have unique credentials

3. Physical access: avoid duplication; enforce proper destruction protocols

Network monitoring and testing

1. Monitoring: access to cardholder data must be tracked

2. Testing: systems and processes must regularly evaluated

Information security

1. Policy: define and enforce internal data security protocols

Share Article:

Featured Articles

Joe Ritacca
Vice President, IT and Research & Development

As Vice President of Precise ParkLink’s Research and Development department and as the head of Precise ParkLink’s Project Management Office, Joe leads a team of systems engineers and software developers, guiding the development of creative solutions. The innovations and integrations he and his team develop let Precise ParkLink offer something truly unique in the Canadian marketplace — a fully turnkey parking technology and management solution. Having studied business administration and computer science at Ryerson University, and with over 25 years of parking industry experience, Joe is ideally suited to his role building teams that can conceptualize solutions and drive change on clients’ behalf.