Top

Everything You Need to Know About Payment Card Industry (PCI) Compliance

If you are a company who accepts electronic payments, it is important to comprehend the rules and regulations the Payment Card Industry Security Standards Council puts into place, especially considering that they are updated frequently.

The last update to the policies regarding PCI DSS was almost one year ago, which is still fairly new. In order to continue business without having to face huge fines or audits, you need to make sure that you and your company are compliant with all PCI regulation that affects your business, here's a quick refresher on the regulation committee and policies involved in PCI.

The PCI Council

The Payment Card Industry Security Standards Council (PCI SSC) is a global regulation body that develops, enhances, distributes, and assists with PCI security standards. PCI SSC offers tools and policy that are critical to understand if you accept electronic payments at your business.

1. PCI DSS

The Payment Card Industry Data Security Standards (PCI DSS) deals with cardholder data security and all IT systems that process, store and transmit credit and/or debt card information. If you are a merchant, it is likely that you are familiar with PCI DSS due to your annual PCI DSS assessment. PCI DSS is not a static set of security standards, the PCI SSC is constantly reformulating, updating, and refining PCI DSS based on industry trends.

2. PA DSS

The Payment Application Data Security Standard (PA DSS) covers security for all payment applications that access cardholder data. Payment applications include software that is developed to help merchants process electronic payments including magnetic stripe, EMV (Europay, MasterCard, and Visa), and contactless transactions. PA DSS ensures that third-party payment applications handle cardholder data properly.

3. PCI PTS

The Payment Card Industry PIN Transaction Security (PCI PTS) standard is a list of technical and operational requirements for payment terminals that protect cardholder data. PCI PTS is modular, meaning that it covers hardware and firmware security requirements to protect against physical, logical, and network tamper attacks. PCI PTS also include security requirements for open protocols (TCP/IP, TLS, Bluetooth, and USB) and ways cardholder data are read and encrypted.

Unlike the other policies we've reviewed so far, PCI PTS standards are updated every three years. PCI PTS does not involve point-in-time assessments but instead, terminals are physically submitted to approved third-party labs for evaluation. If the submitted terminal is approved, it is issued with a validity period for the evaluated version of the specification, view those below.

  • Version 1: LOAs expired April 30, 2014
  • Version 2: LOAs expire April 30, 2017
  • Version 3: LOAs expire April 30, 2020
  • Version 4: LOAs expire April 30, 2023
  • Version 5: LOAs expire April 30, 2026

Terminal manufacturers can't ship a terminal once the validity period has expired but warranties and replacements are still allowed. 

4. PCI P2PE

The Payment Card Industry Point-to-Point Encryption (PCI P2PE) standard is a set of security requirements that cover P2PE solutions, including the payment terminal, terminal application, deployment, key management, and decryption environment. PCI P2PE validated solutions are the "gold standard" of cardholder data protection. Any merchant that uses PCI P2PE validated solutions do better on their PCI DSS assessments through the use of Self-Assessment Questionnaire P2PE.

Conclusion

If you are a business who accepts any form of electronic payment, protecting the data of your customers should be at the top of your list of priorities. Many PCI standards are not static, meaning that they are subject to change and will adjust based on the trends of the industry.  PCI compliance requires a special form of attention to detail to ensure that you can avoid heavy fines.