Now that you know what PCI DSS compliance is and who needs to be PCI compliant, it’s time to learn more about the different PCI standards and programs.
PCI Data Security Standard (PCI DSS)
PCI DSS is the core PCI standard as it applies to any organization that stores, processes, and/or transmits cardholder data. This includes businesses, processors, acquirers, issuers, and service providers. Literally every entity in the payment processing industry. As such, PCI DSS is by far the largest set of standards.
There are 12 requirements with corresponding testing procedures grouped into six goals. Download the document titled PCI DSS from this document library to learn about each testing procedure.
Payment Card Industry Software Security Framework (PCI SSF)
In addition to following the PCI DSS standards, software vendors and others who develop payment applications that store, process or transmit cardholder data need to also follow the Payment Card Industry Software Security Framework. PCI SSF for short. The standards help protect full magnetic stripe data digitally stored on the back of the payment card as well as data stored on the computer chip embedded within some cards.
The card brands encourage businesses to use payment applications that comply with PCI SSF and are approved by the PCI Security Standards Council. You can check the list of approved payment applications before making a purchase on The Council’s website.
Here are the 14 requirements. Each one has sub-requirements and specific testing procedures. You can download the 70-page document titled PCI SSF here.
- Do not retain full track data, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data.
- Protect stored cardholder data.
- Provide secure authentication features.
- Log payment application activity.
- Develop secure payment applications.
- Protect wireless transmissions.
- Test payment applications to address vulnerabilities and maintain payment application updates.
- Facilitate secure network implementation.
- Cardholder data must never be stored on a server connected to the Internet.
- Facilitate secure remote access to payment application.
- Encrypt sensitive traffic over public networks.
- Secure all non-console administrative access.
- Maintain a PCI SSF Implementation Guide for customers, resellers and integrators.
- Assign PCI SSF responsibilities for personnel, and maintain training programs for personnel, customers, resellers, and integrators.
PIN Transaction Security (PTS) Requirements
Companies that make credit card terminals, PIN pads and card readers need to follow this set of standards. The requirements are focused on the protection of cardholder personal identification numbers (PINs). Businesses should check the list of approved devices on the PCI Security Standards Council website every year.
Here is a high level summary of the PTS security requirements:
EVALUATION MODULE
- Core Requirements
- POS Terminal Integration
- Open Protocols
- Secure Reading and Exchange of Data
- Device Management (manufacturing and initial key loading)
REQUIREMENTS SET
- Physical and logical security
- POS terminal integration
- Open protocols
- Requirements in support of cardholder account data encryption
Qualified Integrator and Reseller (QIR) Program
This program is for IT solutions providers including VARs, dealers and solution providers who work with small businesses to help reduce the risk of data theft. Organizations with this qualification are authorized to implement, configure and/or support validated PCI SSF Payment Applications on behalf of businesses or service providers. This is to ensure the payment application has been implemented according to PCI DSS Compliance.
Article by Clearent by Xplor
First published: January 03 2024
Last updated: October 24 2024