What is PCI DSS?

PCI DSS stands for Payment Card Industry Data Security Standard. What it actually is, however, is a set of guidelines, measures, and controls that were developed to help merchants implement strong security precautions to ensure safe credit card usage and secure information storage. The PCI DSS was created in response to the need for an environment in which consumers can engage in secure e-commerce. There have been a number of recent security breaches that have become well known to the public. This is not a good thing from the perspective of the Payment Card Industry.

An individual's personal information is a very valuable commodity in today's digital age. Almost anything can happen if someone else got a hold of that information. And if word spreads too far, or consumers begin to develop a complete distrust of the digital payment process, they will stop making purchases with their cards.

The PCI DSS mandates that any merchant who processes, stores, or transmits credit card numbers be compliant with 12 specific requirements. These requirements can be further broken down into more than 200 individual security controls, but for the purposes of this article, it is enough to list the 12.

1. Install and maintain a firewall configuration to protect card holder data.


2. Do not use vendor-supplied defaults for system passwords and other security parameters.


3. Protect stored card holder data.


4. Encrypt transmission of card holder data across open, public networks.


5. Use and regularly update anti-virus software.


6. Develop and maintain secure systems and applications.


7. Restrict access to card holder data by business need-to-know.


8. Assign a unique ID to each person with computer access.


9. Restrict physical access to card holder data.


10. Track and monitor all access to network resources and card holder data.


11. Regularly test security systems and processes.


12. Maintain a policy that addresses information security.

Originally, the five major credit card companies had their own programs and lists that merchants were required to comply with. The PCI DSS came into being as a result of the realization that their goals, in this instance, were pretty close together. They each knew that a standardized set of guidelines and requirements would make things much easier for merchants to comply with them. The hope was that if the process was made simpler, merchants would be more likely to quicken their compliance.

For now, the Payment Card Industry Security Standards Council has implemented a few other means to encourage compliance. One comes in the form of the benefit of protection. Should a merchant suffer a breach while being compliant, that merchant can expect protection from the range of fines that would otherwise result. And the fines are just the beginning of the possible problems. Even though the fines may go as high as $500,000, the individual law suits can add up just as quickly, and to even greater numbers. The credit card companies could even revoke your ability to accept credit card payments. Add to this the nearly irreparable loss of your reputation, and suddenly PCI DSS compliance is just good business sense.

The PCI DSS is an extensive list of security controls that may be daunting to the average business owner. In the end, however, it is a guideline for necessary procedures to make your business as save as it can be. By taking the time to become compliant, your company can start to experience the long term benefits just that much sooner. The world of e-commerce moves at lightning speeds, and sometimes it seems like all we can do just to keep up. Taking the time to look ahead, to plan for evolving security measures and long term defensive strategies seems like time that could be spent doing something else. But we must never forget that it is very important to maintain a firm grasp on long term success.

Andy Eliason is a writer at Main10, Inc. If you'd like to learn more about the PCI DSS, or how to become PCI compliant, visit Braintree Payment solutions today.