The PCI Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.
Why Security Matters
The security of cardholder data affects everybody.
The breach or theft of cardholder data affects the entire payment card ecosystem. Customers suddenly lose trust in merchants or financial institutions, their credit can be negatively affected -- there is enormous personal fallout. Merchants and financial institutions lose credibility (and in turn, business), they are also subject to numerous financial liabilities.
“The security benefits associated with maintaining PCI compliance are vital to the long-term success of all merchants who process card payments. This includes continual identification of threats and vulnerabilities that could potentially impact the organization. Most organizations never fully recover from data breaches because the loss is greater than the data itself.” — Quick Service Restaurant (QSR) Magazine
Many organizations treat compliance as a one-time, annual event. But only focusing on an annual compliance assessment can create a false sense of security.
Forensic investigators have discovered that security controls deployed by organizations that had passed an assessment were often out of compliance when breaches occurred at a later date. It’s only by achieving and maintaining compliance that your cyber defenses will be adequately primed against attacks aimed at stealing cardholder data.
Validation of compliance with the PCI Data Security Standard is determined by individual payment brands. All have agreed to incorporate the PCI Data Security Standard as part of the technical requirements for each of their data security compliance programs. The payment brands also recognize qualified security assessors and approved scanning vendors qualified by the PCI Security Standards Council.
The Council does not enforce compliance; this is done by individual payment brands or acquiring banks.
The PCI 3-Step Process
- Assess. Identifying cardholder data, taking an inventory of IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.
- Remediate. Fixing vulnerabilities and eliminating the storage of cardholder data unless absolutely necessary.
- Report. Compiling and submitting required reports to the appropriate acquiring bank and card brands.
Specific questions about compliance validation levels and what you must do to validate should be directed to your acquiring financial institution or payment card brand.
Implementing the PCI Data Security Standard starts with scoping. This process involves identifying all system components that are located within or connected to the cardholder data environment (such an environment is comprised of people, processes, and technology that handle cardholder data or sensitive authentication data).
Scoping is an annual process and must occur prior to the annual assessment. Merchants and other entities must identify all locations and flows of cardholder data to ensure all applicable system components are included in scope for the PCI Data Security Standard.
A Qualified Security Assessor is a data security firm that is qualified by the PCI Council to perform on-site PCI Data Security Standard assessments.
The Assessor will:
- Verify all technical information given by merchant or service provider
- Use independent judgment to confirm the standard has been met
- Provide support and guidance during the compliance process
- Be onsite for the duration of the assessment as required
- Adhere to the PCI Data Security Standard Assessment Procedures
- Validate the scope of the assessment
- Evaluate compensating controls
- Produce the final Report on Compliance
Reports are the official method by which merchants and other entities report their compliance status with the PCI Data Security Standard to their respective acquiring financial institutions or payment card brand.
Quarterly submission of a report for network scanning may also be required. Individual payment card brands may require submission of other documentation; see their web sites for more information.
Depending on payment card brand requirements, merchants and service providers may need to submit a Self-Assessment Questionnaire for self-assessments, or a Report on Compliance for on-site assessments.