Federal and State laws, as well as industry regulations, are major drivers in the security industry, and none are probably more far-reaching and controversial than the Payment Card Industry Data Security Standard (PCI DSS). Here, Fortinet provides an overview of PCI DSS and what you need to know about this regulation.
It's not a law. Unlike data security laws that are created by legislators, PCI DSS is a worldwide regulation crafted by the PCI Security Standards Council, which is an open, global forum founded by: American Express, Discover, JCB International, MasterCard and Visa. Its purpose is to provide a single approach for merchants to safeguard payment card (credit/debit card) data.
Why it matters. What makes PCI DSS so important is that it impacts all merchants who accept credit/debit cards for payment. Compliance levels vary, depending on the size and scope of the merchant. For example, Level I merchants (there are 4 levels) are those that process more than 6 million credit card transactions per year. They have the highest standard of compliance to meet, including quarterly network scans by a Qualified Security Assessor. Others merchants, depending on the volume of their credit card transactions, may only have to submit to a once-per-year review. Enforcement is done by the credit card vendor, not the PCI Council or any other law enforcement agency. Violations range from fines to potentially losing the ability to process credit card transactions.
What it does. The main goal of the PCI DSS is to protect card holder data. In its simplest structure, PCI DSS is comprised of just 12 rules that are grouped into 6 categories. These rules are:
- Install and maintain a firewall to protect cardholder data.
- Do not use vendor-supplied defaults for passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt cardholder data while it is transmitted across public networks.
- Use antivirus that is regularly updated.
- Develop and maintain secure systems and applications.
- Restrict access to credit card data on a need to know basis.
- Assign unique IDs to each person with computer access.
- Restrict physical access to cardholder data.
- Monitor access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain an information security policy.
Although these 12 rules sound simple, they include a myriad of definitions and sub-rules that must be followed to help merchants adhere to the regulation.
Compliance vs. Security. Often after a large data loss, such as the recent Target breach, critics attack PCI DSS as a failure. What's important to understand is that security compliance is but a snapshot in time. A merchant can be PCI DSS compliant and yet during the course of a year, also have security holes. And over time, the standard continues to be refined and improved to address the dynamics of today's ever-changing threat landscape as well as merchant network and cardholder environments.
PCI DSS not a panacea. However, it provides a solid baseline that many businesses, not just merchants, should examine as a methodology to help reduce risk and avoid data loss.