Skip to Main Content
Main Menu
Standard

PCI Security Standards Council (PCI SSC)

The Payment Card Industry (PCI) Security Standards Council (SSC) is an international organization who collaborates with payment industry professionals and stakeholders to curate payment data security resources and industry best practices. The PCI SSC develops Data Security Standards (PCI DDS), which provides the latest technical requirements needed to design secure data payment applications.

Are you subject to PCI SSC?

Any entities or merchants who store, process or transmit cardholder data, sensitive authentication data, and/or payment transactions must comply with relevant PCI Standards. Software developers and manufacturers who develop payment applications and devices are also subjected to relevant standards.

Key obligations of the PCI DSS V4.0

Minimal storage of account data

Organizations must develop a data retention policy specifying that only minimal cardholder data must be kept (e.g. a holder’s primary account number (PAN) and card expiration date), and identify locations to retain the data to reduce risk of data compromise.

Implementation of audit logs

Organizations need to implement audit log mechanisms across all system components and cardholder data to promptly detect and alert administrators of suspicious activities or unauthorized changes to accounts. Audit logs should also track changes to administrative privileges to prevent risks associated with an individual disabling the audit log system.

Configuration of network security controls

Organizations must establish an internal configuration policy outlining what is permitted and/or not permitted within the database and network to manage network traffic between and from cardholder data environments (CDE).

Do not store sensitive authentication data after authorization

Sensitive authentication data, such as PINs and card verification codes, must not be retained once an authorized process is completed. If this data needs to be stored before completion, it must be encrypted with strong cryptography using a different key than the one used for encrypting the PAN.

Implementation and testing of security systems

Organizations must develop and keep up-to-date security policies and technical mechanisms to ensure the entire system network is secure, and regularly test rigor of the security mechanisms to effectively respond to abnormal activities.

Whitepaper

Privacy and Data Security in Mergers & Acquisitions

Data can be a valuable asset or an incredible liability to your business. Proactive data privacy practices are strategically critical in this data economy because of the extreme cost of mistakes today.

Achieve compliance

FAQs

  • How do I apply the PCI DSS into my business operations?

    The PCI SSC is not responsible for enforcing compliance; the responsibility falls on payment brands and banks. Payment brands must establish internal policies guiding cardholder and payment security practices, and these practices shall be adopted by acquiring banks who must also develop their own approach that their customers must adhere to in compliance with the PCI Standards.

  • Do I notify the PCI SSC in the event of a cardholder data incident?

    The PCI SSC does not participate in forensic investigations. However, PCI Forensic Investigators can collaborate with entities to aid in the aftermath of such incidents. PCI Forensic Investigators are qualified by the PCI SSC.

  • Does the PCI DSS apply to bank account data?

    Bank account data (e.g. branch identification numbers, bank account numbers, routing numbers) are not payment card data, and the PCI DSS does not apply to such data. However, if a bank account number is also a PAN or contains a PAN, then the PCI DSS applies. However, in the event the PCI SSC does not apply to a certain account number containing elements of PAN, it is strongly recommended that the account number be protected to avoid unauthorized persons from recovering the full PAN from an account number.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top