Payment Card Industry Standards
Americans have over 375 million open credit card accounts.52 Credit cards essentially allow you to borrow money to buy things. You borrow the money from the bank that issues the credit card in exchange for a promise to pay the loan back within a certain period. If you fail to pay the loan by the due date, you are charged interest on the loan. Your credit card number is sensitive consumer financial information. If your credit card information is stolen, unauthorized users could impersonate you and make large purchases in your name. Credit card companies work hard to ensure that your credit card information is kept secure during transactions. They accomplish this work through the Payment Card Industry Security Standards Council (PCI Council).
The PCI Council is made up of representatives of the major credit card companies.53 The major credit card companies, also called credit card brands, are:
- MasterCard
- Visa
- American Express
- JCB International
- Discover
The PCI Council is not a government agency; rather, it is a private industry organization. The PCI Council, formed in 2006, creates safeguards designed to protect credit card data. Any merchant or service provider who accepts credit cards must follow the safeguards. This list of security measures is called the Payment Card Industry (PCI) Data Security Standard (DSS). The most recent version of the DSS, version 3.2.1, was released in May 2018.54 A new version of PCI DSS is expected to be released in late 2020. This chapter addresses version 3.2.1 of the standard.
Purpose
Before the PCI Council was formed, each credit card company made up its own security requirements that applied to the credit cards that it issued. Merchants who accepted credit cards for payment had to follow these standards. Most merchants wanted to accept more than one type of credit card, and it was hard for them to follow so many different standards. The first DSS combined the standards of the founding credit card companies into one standard.
NOTE
Cardholder data is the data available from a credit card. It includes cardholder name, expiration date, account number, and verification numbers. The data is printed on the card and can be contained in the magnetic stripe on the back of the card.
The DSS offers a single approach to safeguarding sensitive cardholder data for all credit card issuers. It identifies 12 basic categories of security requirements that must be followed to protect credit card data.
Scope
All merchants who accept credit cards must comply with the PCI DSS. PCI has different compliance requirements for different merchants that are based upon the size of the merchant’s credit card operations. There are four basic merchant levels:
- Level 1 – Over 6 million transactions annually
- Level 2 – Between 1 and 6 million transactions annually
- Level 3 – Between 20,000 and 1 million transactions annually
- Level 4 – Less than 20,000 transactions annually
These basic levels are subject to adjustment because each of the credit card brands sets its merchant levels individually. For example, Visa merchant Level 1 includes merchants that process over 6 million Visa transactions per year.55 MasterCard Level 1 includes any merchant that processes 6 million MasterCard transactions per year or meets Visa’s Level 1 criteria.56 MasterCard Level 1 also includes merchants that:
- Have suffered a data breach that compromised account data, or
- Any merchant that MasterCard feels should be a Level 1 merchant to minimize risk
Any merchant that accepts credit cards must comply with the DSS. This means that they must implement and follow the DSS rules. The credit card brands enforce DSS compliance. Most of the credit card brands also require merchants to validate their compliance with the rules. This means that it is not enough for the merchant to say that it is compliant with the rules; instead, the merchant must prove that it is compliant with the rules.
Different merchant levels have different validation requirements set by the credit card brands. Visa requires its Level 1 merchants to have an independent evaluation each year.57 They also must have a quarterly network scan by an approved vendor. A Level 3 merchant, which is a smaller merchant than a Level 1 merchant, has different requirements. Under the Visa validation requirements, a Level 3 merchant must only complete an annual self-assessment form and have a quarterly network scan.
NOTE
A merchant is a businessperson who sells goods or services to earn a profit. A merchant can be a large, well-known store or small corner grocery store. For the PCI DSS, a merchant is any entity that accepts credit cards for payment.
Main Requirements
The DSS applies only to the systems that process, store, or transmit credit card data.58 The DSS has specific requirements that each merchant must follow to protect cardholder data. These are the minimum set of requirements for protecting cardholder data. The DSS requirements use preventative, detective, and corrective controls to secure credit card data. The DSS has six high-level categories and 12 major rules. The main categories of controls and rules are listed in TABLE 4-3.
TABLE 4-3 PCI DSS v.3.2.1 Categories of Controls and Rules
| DSS CONTROL CATEGORY | MAIN RULES |
|---|---|
Build and Maintain a Secure Network and Systems |
Merchants must install and maintain firewall and router configurations to protect cardholder data. Merchants may not use vendor-supplied defaults for passwords and other security measures. |
Protect Cardholder Data |
Merchants must take action to protect stored cardholder data. Merchants must encrypt cardholder data while it is transmitted across public networks. |
Maintain a Vulnerability Management Program |
Merchants must use antivirus software that is updated regularly. Merchants must develop and use secure systems and applications. |
Implement Strong Access Control Measures |
Merchants must use need-to-know principles to restrict access to credit card data. Merchants must control access to system components. Merchants must restrict physical access to cardholder data. |
Regularly Monitor and Test Networks |
Merchants must monitor access to network resources and cardholder data. Merchants must test their security systems and processes regularly. |
Maintain an Information Security Policy |
Merchants must create an information security policy. |
NOTE
The complete list of PCI DSS requirements is available at https://www.pcisecuritystandards.org/.
Each DSS rule has several subrequirements that explain how the rule should be met. Merchants must understand how their information systems work to implement the DSS requirements and subrequirements. Merchants also must understand their business processes and be aware of how credit card data is used within their systems. They must consider data security as part of their everyday business operations.
Oversight
The PCI Security Standards Council does not manage compliance programs. It also does not levy penalties for noncompliance. The Council only creates the DSS and provides merchants with resources to comply with those standards. Each of the individual credit card companies enforces the DSS for its own cards and the merchants who use those cards. Most credit card companies use the threat of financial penalties to compel DSS compliance. Compliance is contractually based. It is required through contracts between credit card companies, banks that issue the cards, banks that process credit card transactions, and the merchant.
Penalties for DSS noncompliance tend to be tied to events that expose cardholder data. For example, Visa requires its merchants to notify it immediately if they experience a breach involving credit card data.59 Visa may impose a penalty of up to $100,000 per event if it is not notified immediately. Fines can be increased if it is determined that a merchant was not DSS compliant at the time of the breach. Similarly, fines may be reduced if the merchant can show that it was compliant with the DSS at the time of the breach.