Companies that store, process or transmit cardholder data are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). This standard defined by the Payment Card Industry Security Standards Council (PCI SSC) specifies technical and operational requirements established to protect cardholder data, in-scope data includes the sensitive authentication data (stored on magnetic stripe data or equivalent on a chip, CVC2, CVV2, CID, PINs, PIN blocks) and the primary account number (PAN).

The PCI SSC is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council, American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Companies must undergo an annual security audit and quarterly network scan by PCI SSC approved providers. Not complying with the PCI DSS standard could lead to fines of non-compliance up to $500,000, expensive litigation costs, and being barred from cardholder data processing from card schemes. Furthermore, non-compliance has a direct impact on brand reputation and exposes companies to negative publicity that damages consumer confidence.

The PCI DSS requirements are organized in twelve categories:

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Requirement 5: Use and regularly update anti-virus software or programs
  • Requirement 6: Develop and maintain secure systems and applications
  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
  • Requirement 12: Maintain a policy that addresses information security for all personnel

PCI DSS Compliance Program

The PCI DSS Compliance Program is designed to answer questions raised by any company that stores, processes or transmits cardholder data while evaluating and selecting products to support the Payment Card Industry Data Security Standard (PCI DSS) requirements. This Compliance Program provides validated evidence about a product's features and capabilities to support the PCI DSS requirements.

PCI DSS Compliance Testing and analysis cover several aspects of the product including:

  • Compliance Effectiveness
  • Product Capabilities Support
  • Scope Impact Analysis and Coverage
  • Management and Usability
  • Suitable for Use in and Recommended Configuration
  • Product Roadmap

PCI DSS Compliance Testing Criteria

PCI DSS Compliance Testing is conducted by trained analysts against the PCI DSS Compliance Program criteria, as well as Compliance Labs functional and quality assurance requirements. PCI DSS Compliance Program criteria rely on PCI DSS requirements intent from a QSA perspective, companies’ needs, and queries from numerous specialists, including affected product vendors, developers, users and industry groups. The Compliance Labs analyst will report the results of each phase of testing in the Reports of Compliance, and will also document the product components submitted by the vendor and the configuration of the product tested.

Continuous Evaluation Process

Compliance Labs has developed the continuous evaluation process as a fundamental aspect of the PCI DSS Compliance Program. The continuous evaluation process will monitor new compliance requirements and best practices and update testing criteria to drive product compliance effectiveness and in the long term.

Learn more about PCI DSS requirements