What are the PCI Standards & Programs?
Now that you know what PCI DSS compliance is and who needs to be PCI compliant, it's time to learn more about the different PCI standards and programs.
PCI Data Security Standard (PCI DSS)
PCI DSS is the core PCI standard as it applies to any organization that stores, processes, and/or transmits cardholder data. This includes businesses, processors, acquirers, issuers, and service providers. Literally every entity in the payment processing industry. As such, PCI DSS is by far the largest set of standards.
There are 12 requirements with corresponding testing procedures grouped into six goals. Download the document titled PCI DSS from this document library to learn about each testing procedure.
Payment Application Data Security Standard (PA-DSS)
In addition to following the PCI DSS standards, software vendors and others who develop payment applications that store, process or transmit cardholder data need to also follow the Payment Application Data Security Standard. PA-DSS for short. The standards help protect full magnetic stripe data digitally stored on the back of the payment card as well as data stored on the computer chip embedded within some cards.
The card brands encourage businesses to use payment applications that comply with PA-DSS and are approved by the PCI Security Standards Council. You can check the list of approved payment applications before making a purchase on The Council's website.
Here are the 14 requirements. Each one has sub requirements and specific testing procedures. You can download the 92-page document titled PA-DSS from this document library.
- Do not retain full track data, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data.
- Protect stored cardholder data.
- Provide secure authentication features.
- Log payment application activity.
- Develop secure payment applications.
- Protect wireless transmissions.
- Test payment applications to address vulnerabilities and maintain payment application updates.
- Facilitate secure network implementation.
- Cardholder data must never be stored on a server connected to the Internet.
- Facilitate secure remote access to payment application.
- Encrypt sensitive traffic over public networks.
- Secure all non-console administrative access.
- Maintain a PA-DSS Implementation Guide for customers, resellers and integrators.
- Assign PA-DSS responsibilities for personnel, and maintain training programs for personnel, customers, resellers, and integrators.
PIN Transaction Security (PTS) Requirements
Companies that make credit card terminals, PIN pads and card readers need to follow this set of standards. The requirements are focused on the protection of cardholder personal identification numbers (PINs). Businesses should check the list of approved devices on the PCI Security Standards Council website every year.
Here is a high level summary of the PTS security requirements:
- Core Requirements
- POS Terminal Integration
- Open Protocols
- Secure Reading and Exchange of Data
- Device Management (manufacturing and initial key loading)
- Physical and logical security
- POS terminal integration
- Open protocols
- Requirements in support of cardholder account data encryption
Qualified Integrator and Reseller (QIR) Program
This program is for IT solutions providers including VARs, dealers and solution providers who work with small businesses to help reduce the risk of data theft. Organizations with this qualification are authorized to implement, configure and/or support validated PA-DSS Payment Applications on behalf of businesses or service providers. This is to ensure the payment application has been implemented according to PCI DSS Compliance.