PCI DSS

A little bit of history: All card companies had their own standards

Before 2004 card companies had their own standards to ensure that merchants met a minimum level of security when they store, process, and transmit cardholder data. It was difficult for merchants using multiple cards from different card issuers to comply. A combined effort was made by the principal credit card organisations, which resulted in the release of version 1.0 of PCI DSS (Payment Card Industry Data Security Standard) in December 2004.

MasterCard, American Express, Visa, JCB International and Discover Financial Services established the PCI SSC (Payment Card Industry Security Standards Council) in September 2006 as an administration/governing entity which mandates the evolution and development of PCI DSS. Independent/private organisations can participate in PCI development after proper registration.

The PCI standard

The standard was created to increase control over cardholder data to reduce credit card fraud. PCI DSS has been implemented and followed across the globe. The latest version of PCI DSS is 3.2.1 and was released in May 2018. The PCI Data Security Standard specifies twelve requirements for compliance, organized into six logically related groups called "control objectives".

The six groups are:
1. Build and Maintain a Secure Network and Systems
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy

Vulnerability management

Vulnerability management is the "cyclical practice of identifying, classifying, prioritising, remediating, and mitigating" software vulnerabilities. Vulnerability management is integral to computer security and network security. Vulnerabilities can be discovered with a vulnerability scanner, which analyses a computer system in search of known vulnerabilities, such as open ports, insecure software configurations, and susceptibility to malware infections.

In the event of a security breach, any compromised entity which was not PCI DSS compliant at the time of breach will be subject to additional card scheme penalties, such as fines. Note that enforcement of compliance with the PCI DSS and determination of any non-compliance penalties are carried out by the individual payment brands and not by the Council. Any questions in those areas should be directed to the payment brands.

All companies who are subject to PCI DSS standards must be PCI compliant. There are four levels of PCI Compliance and these are based on how many transactions you process per year, as well as other details about the level of risk assessed by payment brands.

Trust Guard will prove PCI compliance for level 2, 3 and 4

The Trust Guard vulnerability scan is executed by a PCI Security standards council approved scanning vendor and together with the self-assessment questionnaire (SAQ) will prove PCI compliance for level 2, 3 and 4.