PCI is the Payment Card Industry. The most common standard they provide is the PCI Data Security Standard (PCI DSS), which protects information that is considered PCI data.
The basic premise is that all cardholder and sensitive authentication data must be protected.
Table of Contents
Cardholder Data
- Full Primary Account Number (PAN)
- Cardholder name
- Expiration date
- Service code
Sensitive Authentication Data
- Full magnetic stripe data
- CAV2
- CVC2
- CVV2
- CID
- PINs
- PIN blocks
Background Information
The PCI DSS is an information security standard for organizations that process payment cards with logos from major card issuers, including Visa, MasterCard, American Express, Discover, and JCB. Essentially, a group of competitors is coming together to establish proper card-handling security.
Conclusion
Many people forget or don't realize that PCI DSS is not a policy in a world of regulated data sets. It is a standard. Even though it's not backed by government regulation, there can still be consequences for being non-compliant. Consequences could include but are not limited to an increased frequency of audits by a Qualified Security Assessor (QSA), hefty fines, or a complete revocation of merchant account status.
To those who accept credit cards: When was the last time you completed the Self-Assessment Questionnaire (SAQ)? Are you positive you're properly scoped?
Resources
- PCI Security on pcisecuritystandards.org.
- Complete Your Assessment on pcisecuritystandards.org.
