The PCI DSS standard is a list of requirements for organizations to ensure the security of cardholder data. Their purpose is to eliminate the potential for leakage of sensitive data and money.
The PCI DSS specifies security standards for organizations that store, process or transmit credit card data. The standards were developed by the Payment Card Industry Security Standards Council, which includes major credit card providers like Mastercard, Visa, and American Express.
Any company that accepts credit card payments must bring its infrastructure into compliance with PCI DSS requirements. This is mandatory even if the organization uses a third-party payment processor. Failure to comply may result in payment acceptance bans or monthly fines.
PCI Compliance Requirements
The latest version of the PCI DSS standard was released in December 2018 and has 415 verification procedures included in 12 sections:
Maintaining the security of the internal network.
IT infrastructure configuration.
Preservation of cardholder information.
Preservation of cardholder information transferred to third parties.
Protection of IT infrastructure using antivirus programs.
Building and maintenance of information systems.
Setting the level of access to cardholder information.
Methods of authentication.
Physical protection of the IT infrastructure.
Logging of events and actions.
Monitoring the security level of the IT infrastructure.
It concerns all elements of the IT infrastructure, where processing, storage, and transmission of information about payment cardholders takes place, as well as IT systems related to it.
The standards only list security goals, rather than how to achieve them. Implementing specific data protection measures is the responsibility of the organization that accepts credit card payments and the third-party service providers they use.
Just implementing standards is not enough – organizations need to demonstrate that they are meeting the standards. There are several ways to demonstrate compliance.
Companies that process less than 6 million credit card transactions per year can use the Self-Assessment Questionnaire (SAQ).
Organizations processing more than 6 million credit card transactions per year must complete a compliance report through a third-party Qualified Security Assessor (QSA).
How to comply with the PCI DSS?
1. Analyze your payment process. Study in detail how your payment processing procedures work. Typically, a complete payment process involves collecting, storing, processing, or transmitting card data. If you are fully operating with this data and activity, you should consider how to minimize it. The following two approaches are recommended.
2. Outsource payment transactions to a payment service provider. Using a fully hosted PCI SSC solution is the most secure option. In this case, data is processed out of your environment and all actions on card data collection, processing, and transfer are completely excluded from your website.
3. If you do not have the expertise to achieve compliance with the PCI DSS you can use third-party PCI-compliant server hosting providers. The following rules apply to such providers:
- To be registered as a third-party service provider on the PCI SSC website or the Visa Europe website.
- Ensuring secure processing of card data and maintaining ongoing PCI DSS compliance along with annual submission of proof that the standard is being maintained.
- Using a PCI DSS-certified payment application.
- The contract must clearly define the roles and responsibilities for cardholder data protection.
What is PCI DSS hosting?
It is a service, which enables secure bankcard transactions for organizations having an infrastructure hosted by a PCI DSS-certified host. All information about payment transactions is stored and processed within this infrastructure.
PCI DSS Hosting service from Cloud4U allows companies to interact with banks directly through the bank payment interfaces. This eliminates the need for customers to go to a third-party site. In addition, it is possible to work directly with multiple banks. Cloud4U will also help you audit for compliance with all necessary standards.
Using the PCI DSS hosting service covers most of the requirements of the standard. In other words, the hosting provider handles a significant part of the compliance work, including physical server protection, IT system administration, intrusion detection, auditing, and more.