What is PCI DSS?
The Payment Card Industry Data Security Standard, or PCI DSS, is a worldwide information security standard put in place by the Payment Card Industry Security Standards Council, or PCI SSC. It is a multifaceted standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
The PCI standard was created by the Council in order to help businesses process card payments securely and in a manner that protects customers' card details and minimises payment card fraud. The standard applies to any organisation that stores, processes, or transmits cardholder information from a recognised credit card. In the event of card data losses, businesses that are not PCI DSS compliant could incur Card Scheme fines and may be liable for any losses incurred, plus the additional costs involved with replacing the accounts.
A Brief History
Prior to PCI DSS, payment card security was handled through the major card issuing companies' individual security programs. These programs were: the Visa Card Information Security Program, the MasterCard Site Data Protection, the American Express Data Security Operating Policy, Discover Information and Compliance and the JCB Data Security Program.
Through their security programs, each company was aiming to ensure that business had in place a minimum level of security for the handling of sensitive card data in order to protect their customers. In 2004, these five card issuing companies established the PCI SSC and in doing so, they aligned their individual policies to create the Payment Card Industry Data Security Standard.
PCI DSS Requirements Overview
In order to protect cardholder data, PCI DSS imposes regulatory requirements on businesses which dictate the manner in which they store, transmit, and process the data that they handle. There are twelve PCI DSS regulatory requirements that fall into the following six categories:
- To Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- To Protect Cardholder Data
- Protect stored data (use encryption)
- Encrypt transmission of cardholder data and sensitive information across public networks
- To Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- To Implement Strong Access Control Measures
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- To Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- To Maintain an Information Security Policy
- Maintain a policy that addresses Information Security
A copy of the latest version of the standard, with detailed requirements, compliance testing guidelines and best practices to assist businesses to prepare for, conduct, and report the results of a PCI DSS assessment, can be downloaded from the PCI Security Standards Council here.
How Weston Digital Technologies Can Help
The Symphony PCI DSS Compliance Pack bundles the Symphony PCI Web Services Interface and the Symphony FollowMe client component into a single, cost effective PCI toolkit. The Symphony PCI Web Services Interface can be integrated with a customer's existing data systems and the Symphony FollowMe client component can be used without the added work involved with integration.
Our PCI products work through recording suppression – a process that automatically “mutes” audio and/or screen activity whilst cardholder data is taken and injects a synthesised audio tone. Through recording suppression, businesses can avoid the capture and storage of sensitive payment card data.
In addition, Symphony's extensive security and User management allows for total control over access to the system and database. Each User has a unique User ID with assignable access to stored recordings. Full auditing is available to track activity across the system.
Weston Digital Technologies recommends that the Symphony PCI DSS Compliance Pack is used as part of a wider PCI DSS compliance strategy. Customers should understand that there is no “one stop” solution to PCI DSS compliance. The PCI DSS security requirements apply to all system components, people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data - collectively known as the cardholder data environment (CDE). The entire cardholder data environment must be reviewed annually by an assessor and deemed to be PCI DSS compliant.