PCIDSS - Payment Card Industry Data Security Standard

Introduction:

PCIDSS stands for Payment Card Industry Data Security Standard. It is a proprietary information security standard for organizations including application development companies that handle branded credit cards from the major card schemes including American Express, MasterCard, Visa Inc., Discover Financial Services and JCB International. To protect cardholder data, these five global payment brands launched PCI (Payment Card Industry) Security standards council.

It ensures that merchants' credit card processing procedures meet certain security requirements as follow to make online payment systems secure:

• Install and maintain firewall configuration to protect data
• Do not use vendor-supplied defaults for system passwords and other security parameters
• Use and regularly update antivirus software
• Protect stored data
• Develop and maintain secure systems and applications
• Restrict access to cardholder data by business need-to-know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data
• Encrypt transmission of cardholder data and sensitive information across public networks
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information security

This PCIDSS applies to all organizations web development companies that store, process or transmit cardholder data. Every business that accepts credit card or debit card processing payments and stores, processes and transmits payment card data must meet PCIDSS standard. 

PCIDSS specifies and elaborates on six major objectives as follow:

• A secure network must be maintained in which transactions take place. It involves use of firewalls that are robust enough to be effective without causing undue inconvenience to cardholders or vendors.  Authentication data such as personal identification numbers (PINs) and password must not involve defaults supplied by the vendors. Customers should be able to conveniently and frequently change such data.
• Cardholder information must be protected wherever it is stored. When cardholder data is transmitted through public networks, that data must be encrypted in an effective way. Digital encryption is important in all forms of credit-card transactions, but particularly in e-commerce conducted on the Internet by e-commerce solution provider.
• Systems should be protected against the activities of malicious hackers by using frequently updated anti-virus software, anti-spyware programs, and other anti-malware solutions. All applications should be free of bugs and vulnerabilities that might open the door to exploits in which cardholder data could be stolen or altered. 
• Access to system information and operations should be restricted and controlled. Every person who uses a computer in the system must be assigned a unique and confidential identification name or number.  Cardholder data should be protected physically as well as electronically.
• Networks must be constantly monitored and regularly tested to ensure that all security measures and processes are in place, are functioning properly, and are kept up-do-date. Anti-virus and anti-spyware programs should be provided with the latest definitions and signatures.
• A formal information security policy must be defined, maintained, and followed at all times and by all participating entities. Enforcement measures such as audits and penalties for non-compliance may be necessary.

Conclusion:

The beauty of the internet is attracting customers from around the world. However, it also attracts cyber criminals and so payment security is very necessary. PCIDSS is a security standard which has to be followed by every organization to secure cardholder data of customers. There are many software available for payment security provided by software development companies in India which facilitates data confidentiality, integrity, authentication, authorization etc.

Article Summary:

This article gives brief introduction about Payment card industry data security standard, its requirements and objectives. It also explains how a merchant should comply protection of cardholder data with PCIDSS.