What is PCI DSS and how does the standard compliance check occur?
By Prempal Singh
At the end of 2015, the PayOnline electronic payment system for the eighth time proved that merchants and taxpayers are under reliable protection. And in May 2016, the company received a physical certificate of compliance with the requirements of the PCI DSS version 3.1, confirming the highest global security level.
Against the background of this event, we would like to tell you more about what PCI DSS is, what criteria are used to verify compliance with the standard, and how, without having your own certificate, an online store can ensure the security of users’ financial data.
What is PCI DSS?
PCI DSS (Payment Card Industry Data Security Standard) is a data security standard for the payment card industry. In other words, this is a documentation with a list of criteria that the service must satisfy if it somehow manages such things as the card number, its expiration date, and CVV code.
There are quite a few payment cards (everyone knows Visa and MasterCard), and since we are talking about the industry standard, it would be useful for all companies to agree on what they would consider safe. To do this, there is the PCI SSC (Payment Card Industry Security Standards Council) – the Council for the Payment Card Industry Security Standards, formed by the five largest payment systems. It is he who creates the rules of the “safe game”, and it is his rules that companies that want to get the coveted “PCI-DSS Certified” label must follow. Certification is required every year.
What exactly is checked?
In fact, it will be difficult to describe all the verification criteria – there are 288. The procedure itself is quite lengthy because it involves checking a number of complex technical issues. The complete list of criteria, divided into 12 groups, is as follows:
- Protection of the computer network.
- Configuration of information infrastructure components.
- Protection of data stored on cardholders.
- Protection of data transmitted on cardholders.
- Antivirus protection of information infrastructure.
- Development and support of information systems.
- Manage access to cardholder data.
- Authentication mechanisms.
- Physical protection of information infrastructure.
- Logging of events and actions.
- Control of information infrastructure security.
- Information Security Management.
It is clearly seen that we are talking about both the program part and the “physical component” – in other words, everything is checked. In this case, the word “verification” means the literal presence of the person who performs this verification in the office of the company being checked. An authorized auditor with QSA status (Qualified Security Assessor – and this statute is confirmed by the PCI SSC) has the right to talk with the payment gateway employee, examine the settings of the system components, take screenshots and just see “how it works”.