Payment Card Industry Security Standards Council

Last updated

PCI Security Standards Council, LLC
Founded7 September 2006;17 years ago (2006-09-07)
Headquarters401 Edgewater Place Suit 600,
Wakefield, Massachusetts
,
USA
Website pcisecuritystandards.org

The Payment Card Industry Security Standards Council (PCI SSC) was formed by American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc. on September 7, 2006, [1] with the goal of managing the ongoing evolution of the Payment Card Industry Data Security Standard.

The Payment Card Industry Data Security Standard (PCI DSS) consists of twelve significant requirements including multiple sub-requirements, which contain numerous directives against which businesses may measure their own payment card security policies, procedures and guidelines. [2] [3] [4] [5]

To address rising cybersecurity risks to the payment ecosystem, the PCI SSC currently manages 15 standards for payment security, which are variously applicable to payment card issuers, merchants and service providers, vendors and solution providers, and acquirers and processors. [6] More recently, the PCI SSC has collaborated with EMVCo, to provide the security requirements, testing procedures and assessor training to support the EMV 3-D Secure v2.0 standard. [7]

Membership and participation

Members of the PCI Security Standards Council include an Executive Committee of six major payment brands: American Express, Discover Financial Services, JCB International, MasterCard, Visa Inc., and UnionPay. [8] The executives and management of the PCI SSC are supported by 30 companies comprising the Board of Advisors, [8] and other stakeholder advisory groups such as assessor companies and regional boards.

Interested parties can participate in the development of the PCI security standards through member registration as a Participating Organization. [9] [10] Currently, there are more than 700 Participating Organizations from more than 60 countries. [9] These participants are organized into Special Interest Groups, [11] which are tasked with recommending revisions to and the further development of the various security standards maintained by the PCI SSC.

Related Research Articles

<span class="mw-page-title-main">Tokenization (data security)</span> Concept in data security

Tokenization, when applied to data security, is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no intrinsic or exploitable meaning or value. The token is a reference that maps back to the sensitive data through a tokenization system. The mapping from original data to a token uses methods that render tokens infeasible to reverse in the absence of the tokenization system, for example using tokens created from random numbers. A one-way cryptographic function is used to convert the original data into tokens, making it difficult to recreate the original data without obtaining entry to the tokenization system's resources. To deliver such services, the system maintains a vault database of tokens that are connected to the corresponding sensitive data. Protecting the system vault is vital to the system, and improved processes must be put in place to offer database integrity and physical security.

<span class="mw-page-title-main">EMV</span> Smart payment card standard

EMV is a payment method based on a technical standard for smart payment cards and for payment terminals and automated teller machines which can accept them. EMV stands for "Europay, Mastercard, and Visa", the three companies that created the standard.

A payment gateway is a merchant service provided by an e-commerce application service provider that authorizes credit card or direct payment processing for e-businesses, online retailers, bricks and clicks, or traditional brick and mortar. The payment gateway may be provided by a bank to its customers, but can be provided by a specialised financial service provider as a separate service, such as a payment service provider.

<span class="mw-page-title-main">Hardware security module</span> Physical computing device

A hardware security module (HSM) is a physical computing device that safeguards and manages secrets, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. A hardware security module contains one or more secure cryptoprocessor chips.

3-D Secure is a protocol designed to be an additional security layer for online credit and debit card transactions. The name refers to the "three domains" which interact using the protocol: the merchant/acquirer domain, the issuer domain, and the interoperability domain.

Shopping cart software is a piece of e-commerce software on a web server that allows visitors to have an Internet site to select items for eventual purchase.

The Payment Card Industry Data Security Standard is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by the card brands. It was created to better control cardholder data and reduce credit card fraud. Validation of compliance is performed annually or quarterly with a method suited to the volume of transactions:

The payment card industry (PCI) denotes the debit, credit, prepaid, e-purse, ATM, and POS cards and associated businesses.

<span class="mw-page-title-main">Credit card fraud</span> Financial crime

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

Qualified Security Assessor (QSA) is a designation conferred by the PCI Security Standards Council to those individuals that meet specific information security education requirements, have taken the appropriate training from the PCI Security Standards Council, are employees of a Qualified Security Assessor (QSA) company approved PCI security and auditing firm, and will be performing PCI compliance assessments as they relate to the protection of credit card data.

The Payment Application Data Security Standard (PA-DSS) is the global security standard created by the Payment Card Industry Security Standards Council. PA-DSS was implemented in an effort to provide the definitive data standard for software vendors that develop payment applications. The standard aimed to prevent developed payment applications for third parties from storing prohibited secure data including magnetic stripe, CVV2, or PIN. In that process, the standard also dictates that software vendors develop payment applications that are compliant with the Payment Card Industry Data Security Standards.

<span class="mw-page-title-main">Internet Security Awareness Training</span>

Internet Security Awareness Training (ISAT) is the training given to members of an organization regarding the protection of various information assets of that organization. ISAT is a subset of general security awareness training (SAT).

<span class="mw-page-title-main">Card security code</span> Security feature on payment cards

A card security code is a series of numbers that, in addition to the bank card number, is printed on a credit or debit card. The CSC is used as a security feature for card not present transactions, where a personal identification number (PIN) cannot be manually entered by the cardholder. It was instituted to reduce the incidence of credit card fraud. Unlike the card number, the CSC is deliberately not embossed, so that it is not read when using a mechanical credit card imprinter which will only pick up embossed numbers.

Ukrainian Processing Center is a Ukrainian company founded in 1997 which provides processing services and software for banks. UPC was the first Ukrainian company within the sphere of processing that received MSP and TPP status in Visa and Mastercard. In April 1997 UPC processed the first ATM EC/MC card transaction. Since 2005 UPC has become part of the Raiffeisen Bank International. The head office of UPC is based in Kyiv. Ukrainian Processing Center provides services to banks in Central and East Europe in the sphere of processing payment cards, merchant acquiring and ATM channel management. UPC also offers integrated IT systems for electronic commerce, card transactions monitoring systems of fraud prevention, card issuing system and SMS banking service. Moreover, UPC was the initiator of the establishment of the united ATM network "ATMoSphere", which consists of payment cards issuing banks. Annually UPC processes more than 400 million of payment card transactions.

File integrity monitoring (FIM) is an internal control or process that performs the act of validating the integrity of operating system and application software files using a verification method between the current file state and a known, good baseline. This comparison method often involves calculating a known cryptographic checksum of the file's original baseline and comparing with the calculated checksum of the current state of the file. Other file attributes can also be used to monitor integrity.

An Application Defined Network (ADN) is a style of enterprise data network that uses virtual networks and security components to provide a dedicated logical network for applications. This allows customized security and network policies to be created to meet the requirements of that specific application. ADN technology allows for simple physical architectures with fewer devices, less device configuration and integration. ADN solutions simplify businesses' needs to securely deploy multiple applications across the enterprise footprint and partner networks, regardless of where the application resides. They provide policy-based, application-specific delivery to corporate data centers, cloud services and third-party networks securely and cost-effectively. Some ADN solutions integrate 3G or 4G wireless backup services to enable a second internet connection when connectivity is lost on the primary access connection. The ADN design provides an application-to-application (A2A) based model that evolves enterprise networks beyond the site-to-site (S2S) private model.

Point-to-point encryption (P2PE) is a standard established by the PCI Security Standards Council. Payment solutions that offer similar encryption but do not meet the P2PE standard are referred to as end-to-end encryption (E2EE) solutions. The objective of P2PE and E2EE is to provide a payment security solution that instantaneously converts confidential payment card data and information into indecipherable code at the time the card is swiped, in order to prevent hacking and fraud. It is designed to maximize the security of payment card transactions in an increasingly complex regulatory environment.

Certified Payment-Card Industry Security Implementer (CPISI) is a certification in the field of Payment Card Industry Data Security Standard.

Internal Security Assessor (ISA) is a designation given by the PCI Security Standards Council to eligible internal security audit professionals working for a qualifying organization. The intent of this qualification is for these individuals to receive PCI DSS training so that their qualifying organization has a better understanding of PCI DSS and how it impacts their company. Becoming an ISA can improve the relationship with Qualified Security Assessors and support the consistent and proper application of PCI DSS measures and controls within the organization. The PCI SSC's public website can be used to verify ISA employees.

The Four Corners model, often referred to as the Four Party Scheme is the most used card scheme in card payment systems worldwide. This model was introduced in the 1990s. It is a user-friendly card payment system based on an interbank clearing system and economic model established on multilateral interchange fees (MIF) paid between banks or other payment institutions.

References

  1. "Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards". www.pcisecuritystandards.org. Retrieved 31 July 2017.
  2. Wilson, Donna (20 April 2018). "PCI DSS and card brands: Standards, compliance and enforcement" (PDF). Cyber Security. 2 (1): 73–82.
  3. Moldes, Christian (Spring 2018). "Compliant but not Secure: Why PCI-Certified Companies Are Being Breached". CSIAC Journal. 6 (1).
  4. Fruhlinger, Josh (17 July 2020). "PCI DSS explained: Requirements, fines, and steps to compliance". CSO Online. Retrieved 14 February 2022.
  5. Pierangelo, R. Scott (October 2020). "Using PCI Scope to Lower Risks and Cost" (PDF). ISSA Journal: 12–17.
  6. "Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards". www.pcisecuritystandards.org. Retrieved 14 February 2022.
  7. "EMVCo and PCI SSC Combine Expertise on 3-D Secure 2.0" (PDF) (Press release). EMVCo. 29 September 2016. Retrieved 31 July 2017.
  8. 1 2 "Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards". www.pcisecuritystandards.org. Retrieved 14 February 2022.
  9. 1 2 "Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards". www.pcisecuritystandards.org. Retrieved 31 July 2017.
  10. "The PCI Security Standards maintaining payment security". European Payments Council. Retrieved 14 February 2022.
  11. "Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards". www.pcisecuritystandards.org. Retrieved 31 July 2017.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.