The Payment Card Industry Data Security Standard (PCI DSS) was developed by the five founding payment brands of the PCI Security Standards Council (PCI SSC, at www.pcisecuritystandards.org): American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa.
The PCI DSS consists of a standardised, industry-wide set of requirements and processes for security management, policies, procedures, network architecture, software design and critical protective measures.
The PCI DSS must be met by all organisations (merchants and service providers) that transmit, process or store payment card data, or directly or indirectly affect the security of cardholder data. If an organisation uses a third party to manage cardholder data, the organisation has a responsibility to ensure that this third party is compliant with the PCI DSS.
The PCI DSS (sometimes referred to as a compliance standard) is not a law. It is a contractual obligation applied and enforced – by means of fines or other restrictions – directly by the payment providers themselves.
The currently applicable version of the PCI DSS, since April 2016, is version 3.2; subject to licence, it can be freely downloaded1. It is published and controlled by the independent PCI SSC on behalf of its five founding members.
In June 2015, the PCI SSC introduced the concept of ‘designated entities’ – high-risk entities – that can be prescribed a set of supplemental validation requirements to demonstrate ongoing security efforts to protect payments.
The SSC also defines qualifications for Qualified Security Assessors (QSAs), Internal Security Assessors (ISA), PCI Forensic Investigators (PFI), PCI Professionals (PCIP), Qualified Integrators and Resellers (QIR), and Approved Scanning Vendors (ASVs). It trains, tests, certifies and runs quality assurance programmes for these certifications.
The PCI DSS is a set of 12 requirements that are imposed on merchants and other related parties. These 12 requirements are described later in this pocket guide.
Key definitions2 and acronyms in the PCI DSS
Acquirer – Bank, which acquires merchants – i.e. the bank with which you have your e-commerce bank account.
Payment brand – Visa, MasterCard, Amex, Discover, JCB.
Merchant – Sells products to cardholders.
Service provider – A business entity, directly or indirectly involved in the processing, storage, transmission and switching of cardholder data. This includes companies that provide services to merchants, service providers or members that control or could impact the security of cardholder data.
PAN – Primary Account Number (the up-to-19-digit payment card number).
Service providers include:
TPPs – Third Party Processors – who process payment card transactions (including payment gateways).
DSEs – Data Storage Entities – who store or transmit payment card data.
QSA – Qualified Security Assessor – someone who is trained and certified to carry out PCI DSS compliance assessments.
ISA – Internal Security Assessor – someone who is trained and certified to conduct internal security assessments.
ASV – Approved Scanning Vendor – an organisation that is approved as competent to carry out the security scans required by the PCI DSS.
PFI – PCI Forensic Investigator – an individual trained and certified to investigate and contain information security breaches involving cardholder data.
_____________
1 www.pcisecuritystandards.org/document_library
2 There is a formal English glossary available at www.pcisecuritystandards.org/documents/PCI_Glossary_v3-1.pdf.
18.217.150.88