Overview Companies that store, process or transmit cardholder data are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). This standard defined by the Payment Card Industry Security Standards Council (PCI SSC) specifies technical and operational requirements established to protect cardholder data, in-scope data includes the sensitive authentication data (stored on magnetic stripe data or equivalent on a chip, CVC2, CVV2, CID, PINs, PIN blocks) and the primary account number (PAN). The PCI SSC is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council, American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Companies must undergo an annual security audit and quarterly network scan by PCI SSC approved providers. Not complying with the PCI DSS standard could lead to fines of non-compliance up to $500,000, expensive litigation costs, and being barred from cardholder data processing from card schemes. Furthermore, non-compliance has a direct impact on brand reputation and exposes companies to negative publicity that damages consumer confidence. The PCI DSS requirements are organized in twelve categories:
PCI DSS Compliance Program The PCI DSS Compliance Program is designed to answer questions raised by any company that stores, processes or transmits cardholder data while evaluating and selecting products to support the Payment Card Industry Data Security Standard (PCI DSS) requirements. This Compliance Program provides validated evidence about a product's features and capabilities to support the PCI DSS requirements. PCI DSS Compliance Testing and analysis cover several aspects of the product including:
PCI DSS Compliance Testing Criteria PCI DSS Compliance Testing is conducted by trained analysts against the PCI DSS Compliance Program criteria, as well as Compliance Labs functional and quality assurance requirements. PCI DSS Compliance Program criteria rely on PCI DSS requirements intent from a QSA perspective, companies’ needs, and queries from numerous specialists, including affected product vendors, developers, users and industry groups. The Compliance Labs analyst will report the results of each phase of testing in the Reports of Compliance, and will also document the product components submitted by the vendor and the configuration of the product tested. Continuous Evaluation Process Compliance Labs has developed the continuous evaluation process as a fundamental aspect of the PCI DSS Compliance Program. The continuous evaluation process will monitor new compliance requirements and best practices and update testing criteria to drive product compliance effectiveness and in the long term. Learn more about PCI DSS requirements |