Who Needs to Comply with PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) was enacted by the PCI Security Standards Council (PCI SSC) to combat financial fraud. Specifically, to protect against criminals stealing and using personal consumer financial information from payment card transactions and processing systems. PCI DSS created standards of practice for businesses that process credit card data. These standards of practices enhanced cardholder data security and facilitates the broad adoption of consistent data security measures globally. PCI DSS applies to merchants and other entities that store, process or transmit cardholder data and/or sensitive authentication data. Cardholder data refers to any information printed, processed, transmitted or stored in any form on a payment card.

The PCI SSC is enforced by the founding members of the council: American Express, Discover Financial Services, JCB, MasterCard and Visa Inc. PCIS DSS provides an enforceable security standard without the involvement of a government agency. However, many states incorporate PCI DSS into statutes to ensure the security of state residents’ credit card transactions and related personal information. Failure to comply with PCI DSS can lead to exclusion from Visa, MasterCard or other major payment card systems as well as penalties of $5,000 to $100,000 per month. 

PCI DSS consists of steps that mirror security best practices. Businesses must build and maintain a secure network and systems. By using network security controls, businesses can make it more difficult for criminals to access payment system networks and steal cardholder data and/or sensitive authentication data. Companies must install and maintain firewalls to protect cardholder data. Encryption is required during transmission of cardholder data across open, public networks.The rule requires businesses to change and update vendor-supplied defaults for system passwords and other security parameters. According to PCI DSS, one of the easier ways for criminals to access internal network is to try default passwords based on default system software settings in payment card infrastructure. Default passwords and settings are widely known by criminals. Because of that, businesses are required to change vendor supplied defaults. Although, the PCI SSC sets the PCI Security Standards, each payment card brand has its own program for compliance, validation levels and enforcement.

This article contains general legal information and does not contain legal advice. Appolo Compliance is not a law firm or a substitute for an attorney or law firm. For legal advice, please contact a lawyer.

Published by apollocompliance

Jean-Marc is a law student interested in cybersecurity and data privacy law.

5 thoughts on “Who Needs to Comply with PCI DSS?

  1. Amazing! This blog looks exactly like my old one! It’s on a totally different subject but it has pretty much the same layout and design. Outstanding choice of colors!

  2. Heya i am for the first time here. I came across this board and I find It really useful & it helped me out much. I hope to give something back and help others like you helped me.

Leave a Reply

Your email address will not be published. Required fields are marked *