What are the PCI Standards & Programs?

Now that you know what PCI DSS compliance is and who needs to be PCI compliant, it’s time to learn more about the different PCI standards and programs.

pci1-1

 PCI Data Security Standard (PCI DSS)

PCI DSS is the core PCI standard as it applies to any organization that stores, processes, and/or transmits cardholder data. This includes businesses, processors, acquirers, issuers and service providers. Literally every entity in the payment processing industry. As such, PCI DSS is by far the largest set of standards.

There are 12 requirements with corresponding testing procedures grouped into six goals. Download the document titled PCI DSS from this document library to learn about each testing procedure.

PCI DATA SECURITY STANDARD — HIGH LEVEL OVERVIEW

Build and maintain a secure network and systems

  1. Install and maintain a firewall configuration to protect
    cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data

  1. Protect stored cardholder data
  2. Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program

  1. Protect all systems against malware and regularly update anti-virus software or programs
  2. Develop and maintain secure systems and applications

Implement strong access control measures

  1. Restrict access to cardholder data by business need to know
  2. Identify and authenticate access to system components
  3. Restrict physical access to cardholder data

Regularly monitor and test networks

  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes

Maintain an information security policy

  1. Maintain a policy that addresses information security for all person

pci2-1-copy

 PCI Data Security Standard (PCI DSS)

In addition to following the PCI DSS standards, software vendors and others who develop payment applications that store, process or transmit cardholder data need to also follow the Payment Application Data Security Standard. PA-DSS for short. The standards help protect full magnetic stripe data digitally stored on the back of the payment card as well as data stored on the computer chip embedded within some cards.

The card brands encourage businesses to use payment applications that comply with PA-DSS and are approved by the PCI Security Standards Council. You can check the list of approved payment applications before making a purchase on The Council’s website.

Here are the 14 requirements. Each one has sub requirements and specific testing procedures. You can download the 92-page document titled PA-DSS from this document library.

  1. Do not retain full track data, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data
  2. Protect stored cardholder data
  3. Provide secure authentication features
  4. Log payment application activity
  5. Develop secure payment applications
  6. Protect wireless transmissions.
  7. Test payment applications to address vulnerabilities and maintain payment application updates
  8. Facilitate secure network implementation.
  9. Cardholder data must never be stored on a server connected to the Internet
  10. Facilitate secure remote access to payment application Facilitate secure remote access to application.
  11. Encrypt sensitive traffic over public networks.
  12. Secure all non-console administrative access
  13. Maintain a PA-DSS Implementation Guide for customers, resellers, and integrators
  14. Assign PA-DSS responsibilities for personnel, and maintain training programs for personnel, customers, resellers, and integrators

pci3-1-copy

 PIN Transaction Security (PTS) Requirements

Companies that make credit card terminals, PIN pads and card readers need to follow this set of standards. The requirements are focused on the protection of cardholder personal identification numbers (PINs). Businesses should check the list of approved devices on the PCI Security Standards Council website every year.

Here is a high level summary of the PTS security requirements:

EVALUATION MODULE

  • Core Requirements
  • POS Terminal Integration
  • Open Protocols
  • Secure Reading and Exchange of Data
  • Core Requirements
  • Device Management (manufacturing and initial key loading)

REQUIREMENTS SET

  • Physical and logical security
  • POS terminal integration
  • Open protocols
  • Requirements in support of cardholder account data encryption

pci4-1-copy

Qualified Integrator and Reseller (QIR) Program

This program is for IT solutions providers including VARs, dealers, solution providers who work with small businesses to help reduce the risk of data theft. Organizations with this qualification are authorized to implement, configure, and/or support validated PA-DSS Payment Applications on behalf of businesses or service providers. This is to ensure the payment application has been implemented according to PCI DSS Compliance.