Payment Card Industry Data Security Standard (PCI DSS)
Although not (yet) a legal mandate, the Payment Card Industry Data Security Standard (PCI DSS) is one example of an industry initiative for mandating and enforcing security standards. PCI DSS applies to any business worldwide that transmits, processes, or stores payment card (meaning credit card) transactions to conduct business with customers — whether that business handles thousands of credit card transactions a day or a single transaction a year.
Compliance is mandated and enforced by the payment card brands (American Express, MasterCard, Visa, and so on) and each payment card brand manages its own compliance program.
Although PCI DSS is an industry standard rather than a legal mandate, many states are beginning to introduce legislation that would make PCI compliance (or at least compliance with certain provisions) mandatory for organizations that do business in that state.
PCI DSS requires organizations to submit an annual self-assessment and network scan, or to complete onsite PCI data security assessments and quarterly network scans. The actual requirements depend on the number of payment card transactions handled by an organization and other factors, such as previous data loss incidents.
PCI DSS version 3.0 consists of six core principles, supported by 12 accompanying requirements, and more than 200 specific procedures for compliance. These include
- Principle 1: Build and maintain a secure network:
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
- Requirement 2: Don’t use vendor-supplied defaults for system passwords and other security parameters.
- Principle 2: Protect cardholder data:
- Requirement 3: Protect stored cardholder data.
- Requirement 4: Encrypt transmission of cardholder data across open, public networks.
- Principle 3: Maintain a vulnerability management program:
- Requirement 5: Use and regularly update antivirus software.
- Requirement 6: Develop and maintain secure systems and applications.
- Principle 4: Implement strong access control measures:
- Requirement 7: Restrict access to cardholder data by business need-to-know.
- Requirement 8: Assign a unique ID to each person who has computer access.
- Requirement 9: Restrict physical access to cardholder data.
- Principle 5: Regularly monitor and test networks:
- Requirement 10: Track and monitor all access to network resources and cardholder data.
- Requirement 11: Regularly test security systems and processes.
- Principle 6: Maintain an information security policy:
- Requirement 12: Maintain a policy that addresses information security.
Penalties for non-compliance are levied by the payment card brands and include not being allowed to process credit card transactions, fines up to $25,000 per month for minor violations, and fines up to $500,000 for violations that result in actual lost or stolen financial data.