What is the PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a document that offers comprehensive standards to industry entities. The goal of the security process is to reduce payment card fraud and data security breaches.
Originally, the security standard began as five separate programs by global payment brands: American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc. Each of these programs had a similar goal: add a level of protection for card issuers by making sure companies satisfy minimum security levels while storing, processing and transmitting cardholder data (CHD). The first unified security standard approved by all five major payment card brands, the PCI DSS 1.0, debuted in December 2004.
In September 2006, the five brands established the Payment Card Industry Security Standards Council (PCI SSC to manage, maintain, and update the standard. Over the years, the standard has been updated six times to provide more clarity and consistency to requirements, as well as to account for advances in technology and the discovery of new potential threats to data security.
Defining PCI DSS 3.1
The most recent version, PCI DSS 3.1, was released in April 2015. Currently, the framework outlines 12 requirements that fall into 6 related categories. Together, these guidelines provide industry entities a plan for creating and maintaining a payment card data security process. The PCI DSS must be implemented by any payment card industry entity that processes, stores or transmits CHD. These industry entities include: vendors, merchants of any size and any other organizations or service providers involved in the payment process.
Changes from 3.1 to 3.2
The guidelines for 3.2 went into effect on October 31, 2016. Among the changes, PCI DSS Supplemental Designated Entities Validation (DESV) criteria were added, and a few existing requirements were expanded (3, 10, 11, 12). For instance, under 12.4.1, executive management of service providers must establish responsibilities and a PCI DSS compliance program.
How to Achieve PCI Compliance
To achieve PCI compliance, entities must comply with the 12 requirements broken down into three steps: assess cardholder environment technology and processes; remediate vulnerabilities discovered; and submit reports to the appropriate acquiring banks and payment card brands. By complying with the DSS, entities also protect relationships with their partners. For example, PCI compliant hosting helps software providers establish and maintain trust with their business partners—helping PCI compliant merchants keep the trust of their own customers.