PCI DSS: how to meet the requirements?

The Payment Card Industry Data Security Standard (PCI DSS) is an important security standard for organizations, that store and process cardholder data. The purpose of the standard is to protect data, curb fraud and reduce the risk of a data breach.

Online payments are still on the rise, with the number of digital transactions constantly increasing. This makes security even more important. Especially the protection of credit card data.

To achieve such a level of protection, five major payment card brands created a joint standard, called PCI DSS. Every organization, that processes and stores cardholder data, must be able to demonstrate that all data is secured according to these strict requirements.

Evidently, SimpledCard is also PCI DSS certified. In this article, we will explain why PCI DSS is so important and how you can make sure your company complies with the standard.

❯  Wat is de PCI-DSS standaard?

❯  Wat is een PCI DSS certificering?

❯  Hoe krijg je een PCI-DSS certificering?

❯  SimpledCard en de PCI-DSS veiligheidsstandaard

What is the PCI DSS?

The PCI DSS was created by Mastercard, VISA, American Express, JCB and Diners. It is an independent, international security standard to protect cardholders’ data during online transactions.

The Payment Card Industry Security Standards Council (PCI SSC) monitors whether organizations meet the PCI DSS requirements. The aim is to secure credit- and debit cards against data theft and fraud.

The PCI SSC defines various technical and operational guidelines for this. We will come back to that later in this article.

The PCI SSC is not a legal requirement for the industry and therefore compliance cannot be enforced. However, in order to process credit card and debit card transactions online, PCI DSS certification is the golden standard. 

What is PCI DSS certification?

PCI DSS certification guarantees the security of card data in your organization. You obtain a PCI DSS certification by complying with the requirements of the PCI SSC.

The requirements include a number of best practices, such as:

❯  Installing firewalls;

❯ Transferring data in encrypted form

❯ Using anti-virus software

❯  Limiting access to cardholder data

❯ Monitoring access to network resources

The certificate shows that your company has passed an in-depth audit and it demonstrably takes strict measures to protect cardholders’ data.

Being PCI DSS compliant as a company shows your customers that their transactions with you are safe. Also, the possibility of fines for non-compliance provides a good incentive to take data security seriously.

PCI certification is considered the best way to protect sensitive data. This helps you build a long-lasting, trustful relationship with your customers. 

How do you obtain PCI DSS certification?

The PCI SSC sets twelve requirements for processing cardholder data and maintaining a secure network. The requirements are divided over six different control objectives, each carrying equal weight. You must therefore comply with all requirements in order to receive a PCI DSS certification.

❯ Build and maintain a secure network and systems

1. Installing and maintaining a firewall configuration to protect cardholder data.

2. Changing vendor-supplied defaults for system passwords and other security parameters.

❯ Protect cardholder data

3. Protecting stored cardholder data.
4. Encrypting transmission of cardholder data over open, public networks.

❯ Maintain a vulnerability management program

5. Protecting all systems against malware and performing regular updates of anti-virus software.
6. Developing and maintaining secure systems and applications.

❯ Implement strong access control measures

7. Restricting access to cardholder data to only authorized personnel.
8. Each person with access to system components should be assigned a unique identification (ID) that allows accountability of access to critical data systems.
9. Restricting physical access to cardholder data.

❯ Regularly monitor and test networks

10. Tracking and monitoring all access to cardholder data and network resources.
11. Testing security systems and processes regularly.

❯ Maintain an information security policy

12. Maintaining an information security policy for all personnel.

In order to retain the certification, your organization must meet the requirements every year. If you fail to do so, your company is at risk of receiving hefty fines.

When you are PCI compliant, the risk of data breaches due to cyber attacks is small. But if your company does suffer a data breach, the card brands may significantly reduce your PCI fines – they may even be waived – if you can prove that you have done everything to be PCI DSS compliant.

SimpledCard and PCI DSS

As mentioned, SimpledCard is PCI DSS compliant. And thus meets the requirements that the main credit card companies set for processes, procedures and the secure storage of cardholder data.

What exactly do we do? A few examples:

❯ We do not use preset usernames or passwords and avoid default settings at all times.

❯  We always require strong passwords and unique user ID’s. Passwords should have a minimum of seven characters (numbers, letters and special characters).

❯  Our software is always up-to-date, and we inform our employees and customers about updates.

As a SimpledCard customer, you can rest assured that your data is encrypted so that your transactions are secure. This is how we build long-lasting partnerships with our customers, based on trust.

Still have questions about PCI DSS? Please feel free to contact our team of financial experts. They will answer all your questions about PCI DSS, PCI DSS certification, or any other issue you may have.