GRC

PCI-DSS

PCI-DSS (Payment Card Industry Data Security Standards) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. The PCI-DSS standards were created by major credit card companies such as Visa, MasterCard, American Express and Discover to protect sensitive cardholder data and reduce the risk of credit card fraud.

The PCI-DSS standards include 12 requirements that are grouped into six categories:

  1. Build and Maintain a Secure Network: This includes requirements for firewalls, secure routers and other network devices.
  2. Protect Cardholder Data: This includes requirements for protecting sensitive cardholder data such as encryption, access controls and data backup.
  3. Maintain a Vulnerability Management Program: This includes requirements for identifying and mitigating security vulnerabilities.
  4. Implement Strong Access Control Measures: This includes requirements for controlling access to cardholder data and monitoring system activity.
  5. Regularly Monitor and Test Networks: This includes requirements for monitoring network activity and testing security controls.
  6. Maintain an Information Security Policy: This includes requirements for developing and maintaining a comprehensive security policy.

Organizations that handle credit card information must comply with the PCI-DSS standards and must demonstrate compliance through regular assessments by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). PCI DSS compliance is mandatory for any merchant who accepts credit card payments and non-compliance can lead to hefty fines and penalties. Additionally, non-compliance can also lead to loss of trust from customers and business partners. Organizations are expected to maintain the compliance on an ongoing basis.

Skip to content