HackEthic

cropped hack ethic logo black1 1
Menu
Contact Us
Menu
Contact Us

What is PCI DSS?

Share this article:

PCI_DSS

Historical context

In the 1990s and early 2000s, the rise of online shopping led to an increase in credit card fraud. Traditional businesses began selling their products and services online, which, while convenient for customers, introduced security vulnerabilities that cybercriminals exploited. To address these security issues the major card brands developed security programs:

  • VISA’s Cardholder Information Security Program (CISP)
  • Mastercard’s Site Data Protection (SDP)
  • American Express’s Data Security Operating Policy (DSOP)
  • Discover Financial Services’ Information Security and Compliance (DISC)
  • JCB’s Data Security Program (DSP)

 

Each program had a similar goal: to enhance protection for card issuers by ensuring that merchants adhere to minimum security standards when storing, processing, and transmitting cardholder data. Having various programs to comply with lead to interoperability problems. In response to this issue, in 2004, VISA, Mastercard, Discover, JCB and American Express developed the Payment Card Industry Data Security Standard (PCI DSS). Soon afterward, in 2006, the four companies together with Discover Financial Services established the Payment Card Industry Security Standards Council (PCI SCC). The PCI SSC serves as an international platform dedicated to the continuous development, improvement, storage, distribution, and implementation of security standards for protecting account data. Their mission is to strengthen payment account data security worldwide by creating standards and offering support services that promote education, awareness, and effective implementation among stakeholders.

Evolution of PCI DSS

The PCI DSS, as a dynamic framework designed to adapt to the ever-evolving landscape of payment security, has undergone periodic updates and improvements to address emerging threats, incorporate feedback from stakeholders, and reflect current best practices in data security.

Colorful Modern Business Timeline Infographic Graph

PCI DSS Now

On 31 March 2024, PCI DSS Version 3.2.1 ceased to be active and was replaced by PCI DSS Version 4.0, which will be retired on 31 December 2024. At that point, PCI DSS Version 4.0.1 will be the only active version of the standard supported by PCI SSC. The current version of the PCI DSS has the following 6 Domains and 12 Requirements:

  • Build and Maintain a Secure Network and Systems 
    • Requirement 1: Install and Maintain Network Security Controls
    • Requirement 2: Apply Secure Configurations to All System Components
  • Protect Account Data
    • Requirement 3: Protect Stored Account Data
    • Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
  • Maintain a Vulnerability Management Program
    • Requirement 5: Protect All Systems and Networks from Malicious Software
    • Requirement 6: Develop and Maintain Secure Systems and Software
  • Implement Strong Access Control Measures
    • Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know
    • Requirement 8: Identify Users and Authenticate Access to System Components
    • Requirement 9: Restrict Physical Access to Cardholder Data
  • Regularly Monitor and Test Networks
    • Requirement 10: Log and Monitor All Access to System Components and Cardholder Data
    • Requirement 11: Test Security of Systems and Networks Regularly
  • Maintain an Information Security Policy 
    • Requirement 12: Support Information Security with Organizational Policies and Programs

Applicability of PCI DSS

PCI DSS applies to any organization that stores, processes, or transmits cardholder data (CHD) and/or sensitive authentication data (SAD), or that could affect the security of the cardholder data environment (CDE). This encompasses all entities engaged in payment account processing, such as merchants, processors, acquirers, issuers, and other service providers.

Cardholder data and sensitive authentication data are considered account data. The definitions for each are provided in the table below:

Cardholder Data: 

Sensitive Authentication Data:

  • Primary Account Number (PAN)
  • Cardholder Name
  • Expiration Date
  • Service Code
  • Full track data (magnetic stripe data or equivalent on a chip) 
  • Card verification code 
  • PINs/PIN blocks

PCI DSS requirements pertain to entities that store, process, or transmit account data (cardholder data and/or sensitive authentication data), as well as those that can impact the security of the CDE. Additionally, certain PCI DSS requirements may apply to entities that do not directly handle account data but outsource payment operations or CDE management.

Deadline

Organizations have until 31 March 2025, to adopt the new requirements introduced as best practices in PCI DSS Version 4.0.1. Until then, validation of the new requirements is not mandatory. However, organizations that have already implemented these controls and wish to have them assessed before the effective date are encouraged to do so. After 31 March 2025, the new requirements become effective and must be included in PCI DSS assessments.

The HackEthic team strongly urges those obliged to comply with PCI DSS Version 4.0.1 to swiftly meet the outlined requirements. To this end, the team also stands ready to offer assistance.

Contact Us
logo

About Us

Protecting your business with offensive cybersecurity expertise – we are committed to keeping you safe.

Quick Links

Get In touch

Social Media

Linkedin Facebook