The Payment Card Industry Data Security Standard (PCI DSS) is a set of guidelines and best practices provided to all businesses and other entities that process, transmit, or store credit card data. These guidelines were developed by the PCI Security Standards Council (PCI SSC) and are intended to prevent data leaks and resulting identity theft and credit card fraud. There are three ongoing phases involved in complying with the PCI DSS: assessment of business processes and identification of potential risks, remediation of those risks, and reporting compliance efforts to relevant banks and other credit card issuers.
Paramount in Payment Card Industry Data Security Standard compliance is the creation and maintenance of a secure computer network. A robust firewall must be constructed between cardholder data and external access to the network. System passwords should be implemented along with other security measures at every potential point of network vulnerability. All cardholder data must be securely stored, and when transmitted across public networks, it must be encrypted. Ongoing measures include the use of anti-virus software and restricted physical or computer access to data by personnel on a business need-to-know basis.
There are numerous tools and services available to assist organizations in dealing with the PCI DSS. While the PCI SSC establishes the standards for PCI compliance, all the major credit card brands have created their own standards with regard to enforcement and compliance of those standards as well as credit card validation procedures. Each of these companies offers online and other guidance to organizations that accept their cards. The PCI SSC also operates a program that approves Qualified Security Assessors who validate compliance with the Payment Card Industry Data Security Standard. For organizations that self-assess their compliance, the PCI SSC provides validation tools called Self-Assessment Questionnaires in several forms, each tailored to specific business environments.
A key premise in complying with the Payment Card Industry Data Security Standard is to only store credit card data that is essential to the organization's needs. Stored data should be subjected to time limits and transaction authentication data should never be stored. All account numbers and other sensitive data that are transmitted on public networks must be partially masked.
Other ongoing PCI DSS measures include the creation and maintenance of a vulnerability management program that creates secure applications and programs. Routine monitoring and network testing to identify weaknesses are also required. Each organization must also maintain and distribute a written security policy to all personnel.