The Payment Card Industry Data Security Standard is a focal point in the payments landscape, but few understand what it actually entails. While it clearly denotes some type of policy, many merchants haven't received a clear explanation on what it is, why it matters and how it benefits them. 

To that end, this new series will help demystify PCI DSS and clarify how it affects the payments space. In this post, we're going to dive into the absolute basics of PCI DSS and define what it is. 

What is PCI DSS?

Quite simply, PCI DSS is a set of requirements that everyone must adhere to if they work with credit and debit card data. Visa, MasterCard, JCB, American Express and Discover helped create these policies to better protect consumers as card payments became more ubiquitous and the threat of fraud increased. 

These universal policies for merchants, card brands, acquirers and every other entity that stores, processes or transmits payments data ensure that security won't vary between parties. What's more, it eliminates any confusion of liability; everyone knows what they need to improve in order to create a secure payments environment and are held responsible when they don't.

The six core tenets

While PCI DSS is a nuanced and complex set of regulations, it ultimately boils down to six key responsibilities for data protecion:

  1. Network security - Firewalls should adequately guard against outside attacks without complicating the payments process for the consumer. Customer verification methods and authentications are also required for transactions.
  2. Safe data - Cardholder data must be encrypted during transmission and protected while in storage. 
  3. Updated tools - Updates to antivirus and malware programs should be made to eliminate vulnerabilities from new threats. 
  4. Restricted access - Data must only be accessible to parties who need it in order to complete a transaction. Anyone who needs to use that data must have unique, secure credentials. 
  5. Regular testing - All programs and networks need to be monitored and tested on a regular basis to ensure their security.
  6. Implemented policy - A security policy must be written and shared with everyone; this includes routines for checking compliance and penalizing breaches in policies. 

These are common sense; many of them are what companies usually implement for internal data security. However, given the enormous risk of fraud and number of parties involved, it's vital that PCI DSS spells them out to keep everyone on the same page. 

This is just a high level look at the primary points of PCI DSS. In future installments, we'll dive deeper into each of them and the true scope of PCI DSS. 

​​The Basics of PCI: What Is It?