The emergence of multiple online payment solutions has completely transformed the online payment landscape. This revolution has not only led to the exponential growth of e-commerce but also completely revolutionized the way we conduct financial transactions. Today, businesses across industries have embraced the digital world, capitalizing on the benefits offered by online transactions. Nevertheless, it is known that many security risks exist online. Indeed, the financial system is one of the most targeted areas for cyber attacks. As a result, cybersecurity has become a major concern for the entire FinTech ecosystem, impacting every aspect of the industry.
The PCI DSS is one of the main standards that protect users' credit card data. In this article, we will discuss the PCI DSS, its requirements, how it works and how it can help online payment institutions.
What is PCI DSS ?
PCI DSS stands for Payment Card Industry Data Security Standard. It is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council and it is mandatory for companies that process, store, or transmit cardholder data (CHD) or secure authentication data (SAD) to comply with PCI DSS requirements. The standard was created to better control cardholder data and reduce credit card fraud. The Payment Card Industry Data Security Standard (PCI DSS) defines the minimum technical and operational requirements for data security. The current version of PCI DSS 4.0 was published the March 31, 2022. You can download it here.
Who created PCI DSS?
The PCI DSS was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express. But when it comes to the history of the Standard we need to mention some details. Indeed Visa was the first of the major card companies to attempt to establish a set of security standards for businesses that accepted online payments. Visa announced the Cardholder Information Security Program (CISP) in 1999 and implemented it in 2001. Mastercard, American Express, and Discover will then offer their own security programs.
Not surprisingly, a problem soon arose. Merchants who used to accept multiple credit card brands are now faced with multiple security compliance programs. This has only led to an increase in payment fraud. To find a solution, American Express, Discover Financial Services, JCB International, Mastercard, and Visa have come together to form the Payment Card Industry (PCI) which will introduce PCI DSS 1.0 in December 2004.
PCI DSS Requirements
PCI DSS 4.0 is designed to further secure cardholder data by helping businesses adopt security measures and access controls. Each requirement of the standard is linked to an objective. In the following, the requirements are organized as sub-elements of the objective that is being addressed
Goal | Requirement |
---|---|
Build and Maintain a Secure Network and Systems | Requirement 1: Install and Maintain Network Security Controls Requirement 2: Apply Secure Configurations to All System Components |
Protect Account Data | Requirement 3: Protect Stored Account Data Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks |
Maintain a Vulnerability Management Program | Requirement 5: Protect All Systems and Networks from Malicious Software Requirement 6: Develop and Maintain Secure Systems and Software |
Implement Strong Access Control Measures | Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know Requirement 8: Identify Users and Authenticate Access to System Components Requirement 9: Restrict Physical Access to Cardholder Data |
Regularly Monitor and Test Networks | Requirement 10: Log and Monitor All Access to System Components and Cardholder Data Requirement 11: Test Security of Systems and Networks Regularly |
Maintain an Information Security Policy | Requirement 12: Support Information Security with Organizational Policies and Programs |
With regard to these requirements, the standard associates test procedures with the requirements. Thus, in terms of security, each requirement involves defined approaches which are associated with test procedures. The test procedure is used to verify compliance.
What are the PCI compliance levels?
Although the PCI DSS is a unified standard that takes into account the rules of all the major players in the PCI Security Standards Council (PCI SSC), its criteria can have subtleties that depend on the number of transactions made by the payment solution and the number of users. Thus the PCI SSC has established a list of compliance levels that explains the requirements to all responsible parties.
Level 1: The first level sets requirements for companies that process more than 6 million Visa or Mastercard transactions per year, or more than 2.5 million American Express transactions, or those that have suffered a data breach.
Level 2: This level applies to companies that process between 1 and 6 million transactions per year.
Level 3: This level applies to companies that process between 20,000 and 1 million online transactions per year.
Level 4 : It’s the lowest compliance level for companies that process less than 20,000 transactions per year.
How PCI DSS compliance works
As regards compliance, how does the PCI DSS certification process work? The PCI DSS certification process involves an audit of the company. The first step is an assessment (details vary depending on your level), a quarterly network analysis, and the Attestation of Compliance.
- For first-level companies, the process involves :
The completion of an Annual Report on Compliance(ROC) by a Qualified Security Assessor (QSA). The assessment takes place within the organization for :
- Validate the scope of the assessment;
- Review your documentation and technical information;
- Determine whether the PCI DSS’s requirements are being met;
- Provide support and guidance during the compliance process; and
- Evaluate compensating controls.
Quarterly network analysis is carried out by an approved scanning vendor (ASV). The Attestation of Compliance (AOC) for assessment must be produced.
- For level 2-4 companies, there is a self-assessment questionnaire (SAQ). There are 9 different questionnaires. Each of the 9 self-assessment questionnaires has its own AOC form. Level 2 organisations must also complete an ROC.
Why FinTech Companies Should Prioritize PCI DSS Compliance
As explained in the chapters above, the PCI DSS is aimed at the security of cardholder data. Indeed, it is a standard that allows a company operating in online payment services to comply with rules that will ensure the security of the information it holds.
The PCI DSS standard can really be the foundation for the security of a fintech company's IT infrastructure. Indeed, the requirements of this standard lead companies to implement the necessary methods to ensure a certain level of security against cyber attacks. For example, by following this standard, organizations are required to put in place, among other things :
- securing key physical access areas
- monitoring network access
- conducting regular penetration tests
- limiting access to data
- deploying secure hardware and software
These methods not only guarantee the security of data but also foster a relationship of trust between merchants and their customers.
As a standard established by the Payment Card Industry Security Standards Council ("PCI SSC"), PCI DSS can provide businesses with a significant boost in credibility when it comes to processing credit card data. By implementing the rigorous security measures required by the standard, companies can demonstrate their commitment to protecting their customers' sensitive data. This, in turn, can help build trust and confidence in their services among end-users. Ultimately, by obtaining PCI DSS certification, businesses can differentiate themselves in a crowded marketplace and position themselves for long-term success.
However, it is important to clarify that PCI DSS compliance is a complicated and costly process for businesses.
Top comments (0)