Blog   |   Compliance   |   June 13, 2019

How the Payment Card Industry Data Security Standard (PCI DSS) Works

Establishing the Financial Security Standard Known as PCI DSS

Businesses are moving from data centers to the public cloud. Their customers are using mobile devices more often than dedicated computers. Thanks to Near Field Communication (NFC) and Apple Pay, tap-to-pay mechanisms are now commonplace. The name “Payment Card” is a misnomer, as so many payments now occur without the use of a card. The Internet of Things (IoT) is not a science-fiction fantasy but rather a critical part of modern commerce. Now, more than ever, consumers need confidence in their payment systems which are increasingly cloud-based.
Despite the highly competitive nature of the credit card industry, its major players—American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.—banded together in 2004 to create a single, unified compliance standard for their industry. This council established the Payment Card Industry Data Security Standard, better known as PCI DSS.
Why would these competitors support each other? If any of the credit card vendors experiences a breach, it damages the public trust in all financial providers. In particular, 2004 was a time of great unease and uncertainty about online banking and e-commerce. The credit card companies needed to work together and ensure the public that their financial data and personal data would be safe.

What is PCI DSS?

PCI DSS, or Payment Card Industry Data Security Standard, is a regulation that ensures transactions are conducted over secure networks, using responsible password policies and authentication methods. The standard is not federally mandated in the United States, but rather, is enforced by the aforementioned Council.
According to their about us page, the PCI Security Standards Council “agreed to incorporate the PCI Data Security Standard (PCI DSS) as part of the technical requirements for each of their data security compliance programs. Each founding member also recognizes the Qualified Security Assessors and Approved Scanning Vendors qualified by the PCI Security Standards Council… The Council maintains, evolves, and promotes the Payment Card Industry Security Standards. It also provides critical tools needed for implementation of the standards such as assessment and scanning qualifications, self-assessment questionnaires, training and education, and product certification programs.”

Personal Data Security Best Practices

According to The PCI Security Standards Council:

  • Personal information needs to be protected, particularly via encryption.
  • Computer Operating Systems should be patched regularly.
  • There should be safeguards against malware and spyware and networks must be monitored and scanned.
  • Only the appropriate personnel should have access to cardholder data.
  • In addition to computer regulations, handling of paper is regulated as well. All of these standards should be documented in a security policy that is clear and there should be audits and penalties for non-compliance.

Today, there are many more organizations outside of direct credit card providers that have to worry about PCI DSS. Any business that touches personal financial information needs to pay attention to these financial regulations.

Next Steps

Moving to the cloud doesn’t mean starting from scratch when it comes to compliance. There are tools that can measure all relevant best practices for PCI DSS and other such standards and “score” an organization on their compliance level. In some cases, such as with CloudCheckr, they can score an organization’s compliance and keep those records for as long as seven years, to help with audits. More importantly, CloudCheckr can actually fix many security and compliance misconfigurations automatically.

CloudCheckr can help you become PCI DSS compliant and help you stay there. Schedule a demo to learn more about our Total Compliance capabilities.