Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard , usually abbreviated to PCI or PCI-DSS , is a set of rules in payment transactions that relates to the processing of credit card transactions and is supported by all major credit card organizations.

background

Trading companies and service providers who save, transmit or process credit card transactions must meet the regulations. If they do not adhere to this, penalties can be imposed, restrictions imposed, or ultimately they can be prohibited from accepting credit cards.

The regulations consist of a list of twelve requirements for the company's computer networks :

1. Installation and maintenance of a firewall to protect the data
2. Changing passwords and other security settings after leaving the factory
3. Protection of the stored data of credit card holders
4. Encrypted transmission of sensitive data from credit card holders in public computer networks
5. Use and regular update of virus protection programs
6. Development and maintenance of secure systems and applications
7. Restricting data access to what is necessary
8. Allocation of a unique user ID for each person with computer access
9. Restricting physical access to credit card holder data
10. Logging and checking of all access to data from credit card holders
11. Regular reviews of all security systems and processes
12. Introducing and complying with information security guidelines

PCI is based on the Visa Account Information Security Program ( AIS and its sister program CISP ), the Mastercard Site Data Protection Program ( SDP ), the American Express Security Operating Policy ( DSOP ), the Discover Information Security and Compliance ( DISC ) and the JCB security rules.

Compliance with the rules is usually checked depending on the company's transaction volume:

• Merchants or service providers who process more than 6 million credit card transactions per year, who have already succumbed to an attack, have been classified as "Level 1" by another card company or where card data has been compromised, must have their computer network quarterly by means of an external security scan by a Mastercard have an approved scan vendor (ASV) checked and an on-site inspection ( audit ) carried out once a year by an independent company approved by VISA (QSA) or a specially appointed security officer.
• Merchants who process between 20,000 and 6 million credit card transactions per year must also have their computer network checked quarterly using an external security scan by an Approved Scanning Vendor (ASV) approved by Mastercard and a PCI questionnaire (Self-Assessment Questionnaire) once a year , SAQ).
• E-commerce merchants who process less than 1 million credit card transactions per year (level 3 and 4) have, since October 1st, 2009, have had to commission a PCI DSS-certified service provider to process all of the credit card transactions or their acquirer to use their own PCI DSS - Prove certification by completing the PCI Self-Assessment Questionnaire (SAQ) and, if necessary, performing a quarterly security scan by an Approved Scanning Vendor (ASV) approved by the PCI Security Standards Council. (Visa Member Letter VE 33/08 dated September 24, 2008)

version

The current version of the PCI-DSS is: V3.2.1 from May 2018.

Web links

• PCI Security Standards Council
• PCI Security Standards Council announces new PCI DSS version
• Visa Europe AIS site
• Visa USA CISP site
• Experiences and lessons learned with the Payment Card Industry Data Security Standard (PCI DSS) (English, PDF, 173 kB)
• German-language explanation from the University of Regensburg on the PCI standard and the certification process

Individual evidence

1. ↑ Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards. In: www.pcisecuritystandards.org. Retrieved May 6, 2016 .