PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI DSS)
The Payment Card Industry Data Security Standards (PCI DSS) are a set of operational and technical requirements that almost all entities using consumer bankcard information must uphold. PCI DSS are promulgated and administered by the Payment Card Industry Security Standards Council, an industry consortium of American Express, Discover, JCB International, Mastercard and Visa Inc. formed in 20016.
Globally, PCI DSS have been adopted by hundreds of millions of entities along the complex journey a bankcard transaction takes. These include merchants of all sizes, financial institutions and others that store, process or transmit cardholder data (CHD). Adherence to PCI DSS aims to help these stakeholders better protect consumer bankcard data from theft, loss, and misuse through the standards’ requirements. Examples of PCI DSS are that CHD and sensitive authentication data (SAD) may not be stored by a merchant or the merchant’s payment processor and those entities that must hold it must use encryption, masking, hashing, and truncation to safeguard it.
Large firms handling bankcard transactions must have their PCI DSS compliance audited by a Qualified Security Assessor (QSA) or by its own Internal Security Assessor (ISA) that makes a Report on Compliance for enterprises dealing with large transaction volume or velocity. Small and medium-size businesses (SMBs) may submit an Assessment Questionnaire (SAQ) to attest to their compliance.
“PCI compliance for small businesses is pretty reasonable, with a number of attestations made in a what is essentially a self survey. Once you reach a certain volume of CHD, however, it’s a whole new ballgame with a QSA detailing all of the ways your data receipt, storage, and custodianship are protected.”