Understanding What Card Data Covered by PCI DSS Includes for Businesses

As a business owner, it's essential to understand what card data is covered by PCI DSS. Card data, also known as Primary Account Number (PAN), includes the 16-digit number on the front of a credit or debit card.

Card data can be stored in various forms, including magnetic stripe data, chip card data, and card verification value (CVV) or card verification code (CVC). This data is critical to process transactions and must be handled securely to prevent breaches.

Businesses must ensure that all card data is protected, not just the PAN. This includes the card's expiration date, cardholder name, and service code.

PCI DSS covers a wide range of card data, including cardholder data, sensitive authentication data, and encrypted data.

Cardholder data, such as names, addresses, phone numbers, and email addresses, is protected by PCI DSS. This data is often collected during online transactions, customer sign-ups, or when customers make purchases in-store.

Sensitive authentication data, like PINs and passwords, is also covered by PCI DSS. These types of data are highly sensitive and must be stored securely to prevent unauthorized access.

Encrypted data, such as encrypted credit card numbers, is also included in PCI DSS. This data is protected by encryption, but it still needs to be stored securely to meet PCI DSS requirements.

Card data is not just limited to credit cards; it also includes debit cards, prepaid cards, and gift cards. All types of card data must be stored securely to meet PCI DSS standards.

The Payment Card Industry Data Security Standard (PCI DSS) provides a baseline of technical and operational requirements to protect account data. The PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers.

The PCI DSS requires a secure network and systems to protect cardholder data from theft. This includes installing and maintaining a firewall configuration and not using vendor-supplied defaults for system passwords and other security parameters.

There are 12 high-level requirements of PCI-DSS, organized into six logically related groups called "control objectives". These include requirements for building and maintaining a secure network and systems, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy.

Here are the 12 high-level requirements of PCI-DSS:

The Payment Card Industry Data Security Standard (PCI DSS) is a must-have for any organization that handles credit card information. It's a set of technical and operational requirements designed to protect account data.

To be PCI DSS compliant, you need to implement 12 specific requirements, organized into six logically related groups called "control objectives." These groups are: Build and Maintain a Secure Network and Systems, Protect Cardholder Data, Maintain a Vulnerability Management Program, Implement Strong Access Control Measures, Regularly Monitor and Test Networks, and Maintain an Information Security Policy.

Cardholder data includes Primary Account Number (PAN), Cardholder Name, Expiration Date, and Service Code. Sensitive Authentication Data includes full track data, CAV2/CVC2/CVV2/CID, and PINs/PIN blocks.

The PCI DSS standard requires multi-factor authentication to be implemented, which means an individual must present a minimum of two separate forms of authentication before access is granted.

Here are the six control objectives and their corresponding requirements:

PCI DSS compliance is a requirement for any organization that accepts, processes, stores or transmits credit card information. To meet PCI DSS requirements, all cardholder data must be stored on a private network that has no access or connection to the public internet.

There are two types of PCI DSS assessment reports: Self-Assessment Questionnaire (SAQ) and Report on Compliance (ROC). The type of report depends on the organization's type, volume of annual transactions, and payment channels adopted. Each payment brand has its own compliance requirements and eligibility criteria for SAQ or ROC.

Encrypting transmission over open public networks is a must, especially when dealing with sensitive cardholder data. This requires using strong cryptography to protect the data.

You should never use messaging applications like chat, email, or instant messaging to transmit sensitive card information, such as PANs. This is because these methods are not secure enough to protect sensitive data.

Encrypting transmission over public networks is a requirement to meet PCI DSS compliance. This ensures that cardholder data is protected from unauthorized access.

SSL certificates, although useful for securing a web server, do not guarantee PCI compliance on their own. Additional steps are needed to achieve full compliance.

A payment application is anything that stores, processes, or transmits card data electronically.

It's not just about credit card machines, a Point of Sale system in a restaurant, like a Verifone swipe terminal or an ALOHA terminal, is also considered a payment application.

Any piece of software designed to touch credit card data is considered a payment application, which means even a Website e-commerce shopping cart, such as CreLoaded or osCommerce, falls into this category.

In the world of PCI compliance, a payment application is a broad term that encompasses anything that handles credit card information electronically.

Data Protection is a top priority for any organization handling card data. Cardholder data includes any information from a payment card that is printed, processed, transmitted or stored in any form.

To protect stored cardholder data, it's essential to render it unreadable via encryption. This includes information such as the PAN, cardholder name, and expiration date. Any cardholder data that is necessary to store must be encrypted, as stated in PCI DSS requirement 3.

Organizations should strive to eliminate the storage of cardholder data, except for data that's necessary for business, legal, or regulatory needs. This includes eliminating the storage of Sensitive Authentication Data (SAD) such as magnetic stripe and CVV, EMV chip, and PIN/PIN Block.

To protect cardholder data, organizations must also encrypt transmission of card data over open public networks. This is a PCI DSS requirement to prevent unauthorized use of cardholder data.

Here are some methods to store credit card data securely:

Protecting stored data is crucial to prevent its unauthorized use. Cardholder data includes any information from a payment card that is printed, processed, transmitted, or stored in any form.

To protect stored cardholder data, you should render it unreadable via encryption. This includes information such as the PAN, cardholder name, and expiration date. Any cardholder data that is necessary to store must be encrypted, regardless of PCI DSS compliance.

The best way to store credit card data is by utilizing a third-party credit card vault and tokenization provider. This removes the risk of storing card data from your possession and replaces it with a "token" that can be used for recurring billing.

Here are the steps to protect stored cardholder data:

Storing cardholder data yourself is not recommended, as the bar for self-assessment is very high, and you may need to have a QSA (Qualified Security Assessor) come onsite and perform an audit to ensure that you have all the necessary controls in place.

Penalties for non-compliance can be catastrophic to a small business, with fines ranging from $5,000 to $100,000 per month for PCI compliance violations.

Debit card transactions in scope for PCI are determined by the card association/brand logos that participate in the PCI SSC.

Any debit card branded with one of the five participating logos - American Express, Discover, JCB, MasterCard, and Visa International - is considered in-scope.

Debit cards that don't carry these logos are not included in the PCI scope.

PCI DSS compliance is a requirement for any organization that accepts, processes, stores, or transmits credit card information.

Merely using a third-party company does not exclude a company from PCI DSS compliance, as it may cut down on their risk exposure but does not mean they can ignore the PCI DSS.

Formal validation of PCI DSS compliance is not mandatory for all entities, but Visa and Mastercard require merchants and service providers to be validated according to the PCI DSS.

Issuing banks are not required to undergo PCI DSS validation, although they must secure sensitive data in a PCI DSS-compliant manner.

There are four merchant levels of PCI DSS compliance, based on the annual volume of credit or debit card transactions processed by a business:

Annual SAQ and quarterly network vulnerability scan (optional)

Organizations should regularly review and update their policies and procedures, while also educating employees about the importance of PCI DSS compliance and their role in protecting cardholder data.

To implement PCI DSS compliance, merchants must ensure all card data is stored in a secure environment. This includes using encryption to protect sensitive information.

Merchants must also implement secure protocols for transmitting card data, such as using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to encrypt data in transit. This helps prevent interception by unauthorized parties.

Regular security audits and risk assessments are crucial for maintaining PCI DSS compliance. Merchants must identify and mitigate potential vulnerabilities in their systems and processes.

Implementing and maintaining a secure network and systems is crucial for any organization, especially those handling sensitive information. This involves employing robust network security protocols and controls to prevent and deter criminal activity.

To build a secure network, your organization should install and maintain a firewall configuration to protect cardholder data. This is a must-have for any payment system networks. Firewalls work by inspecting incoming network traffic and assessing it against a pre-configured rule set, allowing or denying traffic to protect internal networks.

You should assess and update your firewall configuration rules at least every six months to ensure your organization's firewall is performing properly. This includes documenting and justifying any open ports or servers necessary for business operations.

Here are some key requirements for building and maintaining a secure network and systems:

Regular penetration testing in conjunction with internal and external vulnerability scans is also essential to defend your payment cardholder environment from network vulnerabilities.

Implementing access control measures is a crucial step in protecting sensitive data. It's essential to restrict access to cardholder data by business need to know, as any role-based access should operate on the "need to know" notion.

To achieve this, you can set the default access to "deny all" users, with the exception of those who are expressly granted authorization. This principle is also known as the "principle of least privilege."

Restricting physical access to cardholder data is also vital. This can be done by controlling and monitoring access to secure areas within your cardholder data environment through video or access control.

Access data must be retained for 90 days, unless prohibited by law. After that, cardholder data must be destroyed. For example, paper forms with cardholder data must be shredded once the retention period has passed.

To summarize, access control measures can be categorized into two types: physical and logical. Physical access controls include locks, tangible mechanisms, and other physical systems that protect sensitive information. Logical access controls, on the other hand, limit the use of payment devices, computing devices, and wireless networks to authorized users only.

Here are the key steps to implement access control measures:

Network Resource Access Monitoring is a crucial aspect of maintaining a secure and compliant environment. You're required to keep system logs for a minimum of one year.

To implement effective monitoring, your organization must track and monitor all access to network resources and cardholder data. This involves implementing system logging to connect specific actions to specific accounts and individuals.

System logs should be backed up to a centralized server to prevent alteration or deletion of log information. This ensures that you have at least three months' worth of logs readily available at all times.

Daily log reviews are essential to address any anomalies as soon as they occur. This proactive approach helps prevent potential security breaches and ensures compliance with regulations.

A Service Provider is defined by the PCI SSC as a business entity not directly involved in payment brands, but still involved in processing, storage, or transmission of cardholder data.

This definition includes companies that provide services controlling or impacting cardholder data security.

The "merchant as a service provider" role is specified by the PCI SSC as a merchant accepting payment cards for goods and/or services, storing, processing, or transmitting cardholder data on behalf of other merchants or service providers.

Service Providers must achieve compliance, which can be learned more about in the blog post "PCI Compliance and the Service Provider".

PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

The term "card data" refers to sensitive information associated with a payment card, including the card number, expiration date, and security code.

A merchant is any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC as payment for goods and/or services.

To qualify as a merchant, you need to accept payment cards from companies like American Express, Discover, JCB, MasterCard, or Visa.

You might be surprised to learn that a merchant can also be a service provider if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers.

For example, an Internet Service Provider (ISP) is both a merchant and a service provider - they accept payment cards for monthly billing, but also host merchants as customers.

Pa is a term used in various contexts, including music and family relationships.

In music, a pa is a section of a musical composition, typically a group of notes played together.

A pa in music can also refer to a specific time signature, such as 4/4 or 3/4.

Pa is also used in some cultures to refer to a father or a male parent figure.

In these cultures, the term "pa" is often used with affection and respect.

The Payment Card Industry Security Standards Council (PCI SSC) was formed in September 2006 by MasterCard, American Express, Visa, JCB International, and Discover Financial Services.

These companies came together to create a unified set of security standards for the payment card industry. The PCI DSS was developed to address interoperability problems among existing standards and provide an additional level of protection for card issuers.

The first version of the PCI DSS, version 1.0, was released in December 2004. It was later updated to version 1.1 in September 2006, which included clarification and minor revisions.

Here's a list of the major versions of the PCI DSS, along with their release dates and notable changes:

The PCI DSS has been widely adopted and is now implemented and followed worldwide.