In the past few months, a variety of companies, including Target, Michaels, and Neiman Marcus, have experienced data breaches. While data breaches are becoming an increasingly common occurrence, most of them can be avoided by following the guidelines outlined in the Payment Card Industry Data Security Standard (PCI DSS).
The PCI Data Security Standard includes twelve technical and operational requirements designed to protect cardholder data. These requirements can be split into six control objectives. Here’s an overview of the control objectives and PCI DSS Requirements:
Control Objective: Build and Maintain a Secure Network
Control Objective: Protect Cardholder Data
Control Objective: Maintain a Vulnerability Management Program
Control Objective: Implement Strong Access Control Measures
Control Objective: Regularly Monitor and Test Networks
Control Objective: Maintain an Information Security Policy
All entities involved with payment card processing, including financial institutions, merchants, processors, and service providers, must comply with PCI DSS. If you store, transmit, or process cardholder data and/or sensitive authentication data, you must comply with PCI DSS. The PCI DSS also applies to systems in the cardholder data environment (CDE).
The systems considered to be part of the cardholder data environment include the following:
While this is a comprehensive list of systems, the cardholder data environment must be used as a guideline. Entities must consider all systems and personnel that interact with, or store card holder data. In addition, entities must consider the PCI DSS on a day-to-day basis, instead of waiting until security problems arise. Ultimately, security should be a top priority for all entities involved with payment card processing.
The PCI DSS also states that all third-party service providers must be considered and validate their own compliance. This validation can be done through a PCI DSS assessment or reviewing their services as part of their customers’ PCI DSS assessments.
To learn more about PCI DSS compliance, please view the PCI DSS Requirements and Security Assessment Procedures Version 3.0 at https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf.
For information on how to protect your customers’ data, give us a call at (713) 490- or send us an email at firstname.lastname@example.org. CITOC can help you secure your systems and ensure PCI DSS compliance.