TABLE OF CONTENTS


What is PCI Compliance and why is it important?

  • What is PCI DSS Compliance?
    • Payment Card Industry Data Security Standard (PCI DSS) is a global standard that provides a structured set of guidelines for the technical and operation requirements to ensure customer payment data is protected.
    • For more information about PCI Compliance, please visit the PCI Security Standards Council website.
  • Why is it Important?
    • Lax security by merchants enable criminals to easily steal and use personal consumer financial information from payment transactions.
    • As a key participant in the payment card transaction process, it is imperative that a standard set of procedure and technologies be utilized to combat the theft of cardholder data.
    • Compliance with PCI DSS helps alleviate vulnerabilities and protect customer data.
    • PCI Compliance is a reference tool to help you understand and apply protections to customer payment transaction.


Back to top


Common points of vulnerabilities in a merchant based environment

  • Point of Sale devices
  • Mobile devices, personal computers, or servers
  • Wireless hotspots
  • Online Commercial shopping applications.
  • Paper based storage systems
  • The transmission of card holder data from merchant to the processor
  • Remote access connections.
Vulnerabilities may also extend to the systems at the service providers and the acquirer or merchant that facilitates the acceptance of payments. (see diagram below)


Back to top

The 3 Processes of PCI Compliance



  • Assess
    • Identifications of all locations of customer payment card data
    • Taking inventory of all IT assets and business processes for payment processing
    • Analyzing for vulnerabilities that could expose data.
  • Repair
    • Fixing identified vulnerabilities
    • Removal of any unnecessary card data storage
    • Implementation of secure business processes
  • Report
    • Documentation assessment and remediation details
    • submitting compliance reports to banks and card brands


PCI DSS practices mirror security best practices as these operate in the same manner of protection.



Back to top


Overview of PCI Requirements



What standards and requirements are there within PCI Compliance?


  • PCI Data Security Standard (PCI DSS)
    • The PCI DSS applies to all entities that perform the processing and/or transmission of customer card data.
    • Covers the technical and operation components connected to customer card data.
  • Pin Transaction Security (PTS) Requirements
    • PCI PTS is a set of requirements focused on the protection of customer PINs and other processes related to them.
    • Includes:
      • PIN Security Requirements
      • Point of Interaction (POI) Modular Security Requirements
      • Hardware Security Module (HSM) Security requirements.
    • Device Manufacturers are responsible for the design, manufacturing, and transport of these devices.
    • Financial institutions, processors, merchants, and service providers should only use devices or components that have been tested and approved by the PCI Security Standards Council (PCI SSC).
  • Payment Application Data Security Standard (PA-DSS)
    • This standard is for software vendors that develop payment applications that store, process or transmit customer card data and/or sensitive authentication data utilized in the authorization or settlement process.
  • PCI Point-to-Point Encryption Standard (P2PE)
    • This standard provides the set of security requirements for P2PE providers and the validation of those solutions.
    • This helps reduce the PCI DSS scope of merchants.
  • PCI Card production Logical Security Requirements and Physical Security Requirements.
    • These requirements address the card production process.
    • Includes
      • Card Manufacturing
      • Chip embedding
      • Data preparation
      • Pre-personalization
      • Card personalization
      • Chip personalization
      • Fulfillment
      • Packaging
      • Storage
      • Mailing/Shipping
      • PIN printing
      • Electronic PIN distribution
  • PCI Token Service Provider Security Requirements
    • Token Service Provider (TSP) is intended for the providers that generate and issue EMV Payment Token


Back to top

   

PCI Data Security Standard Requirements

GoalsPCI DSS Requirements
Build and Maintain a Secure Network and Systems
  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  • Protect stored cardholder data 
  • Encrypt transmission of cardholder data across open, public networks 

Maintain a Vulnerability Management Program

  • Protect all systems against malware and regularly update antivirus software or programs
  • Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  • Restrict access to cardholder data by business need to know
  • Identify and authenticate access to system components
  • Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
Maintain an Information Security Policy
  • Maintain a policy that addresses information security for all personnel


Back to top

Additional Resources and Help!

Still have questions? Please contact us any time at support@ezsoftpos.com.


NOTE: If emailing, please include your business name in the subject line of the email

and provide your preferred contact information for the best response time.


Visit our help center Help Center for more guides and tutorials