Fill in the application form and start selling
+34 968 079 125
WhatsApp: +34 613 01 87 17
Follow us on LinkedIn
Request a CallBack
PCI DSS
  1. Glossary
  2. PCI DSS

PCI DSS

Index [Hide] [Show]

What is PCI DSS?

PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of standards and security procedures that businesses must follow to protect the information of their customers' credit, debit, and cash cards.

The PCI DSS standard was developed by the Payment Card Industry Security Standards Council, a consortium of major credit card companies, including Visa, MasterCard, American Express, Discover, and JCB.

Which types of businesses need to comply with PCI DSS standards?

The Payment Card Industry Data Security Standard (PCI DSS) applies to all entities that store, process, or transmit cardholder data. This includes all merchants, regardless of their size or the number of transactions they process, as well as any service providers that handle cardholder data on behalf of merchants.

Here are some examples of entities that need to comply with PCI DSS:

  • Retail Merchants: Physical stores that accept credit or debit cards for transactions must comply with PCI DSS to protect their customers' card information.
  • E-commerce Businesses: Businesses that accept card payments through their website also must comply with PCI DSS. This applies whether they store card information on their own systems or pass it to a third-party payment processor.
  • Non-profit Organizations: Organizations that accept credit or debit card donations, whether in person, by phone, or online, are also subject to PCI DSS.
  • Service Providers: Any company that processes, transmits, or stores cardholder data on behalf of a merchant must comply with PCI DSS. This includes payment service providers, web hosting providers, call centers, and others.

It's important to remember that compliance with PCI DSS is not optional. Entities that do not comply with these standards can face fines and other penalties, and they also run a higher risk of suffering a data breach.

Requirements for PCI DSS compliance

The Payment Card Industry Data Security Standard (PCI DSS) sets out 12 general requirements divided into 6 control categories that an organization needs to be in compliance. These categories and requirements are:

  • Build and maintain a secure network and systems:

  1. Install and maintain a firewall configured to protect cardholder data.
  2. Do not use passwords and other security parameters provided by the vendor for security systems and components.

  • Protect cardholder data:

  1. Protect stored cardholder data.
  2. Encrypt the transmission of cardholder data across open and public networks.

  • Maintain a vulnerability management program:

  1. Protect all systems against malware and regularly update antivirus software.
  2. Develop and maintain secure systems and applications.

  • Implement strong access control measures:

  1. Restrict access to cardholder data only to authorized individuals.
  2. Identify and authenticate access to system components.
  3. Restrict physical access to cardholder data.

  • Regularly monitor and test networks:

  1. Track and monitor all access to network resources and cardholder data.
  2. Regularly test security systems and processes.

  • Maintain an information security policy:

  1. Maintain a policy that addresses information security for all personnel.

In addition to these requirements, it is important to bear in mind that PCI DSS compliance is not a one-time event, but a continuous process of assessing and improving security. The organization must review and, if necessary, update its PCI DSS compliance at least once a year, or whenever there are significant changes to its network or payment card handling processes.

PCI DSS and E-commerce

In e-commerce, compliance with PCI DSS (Payment Card Industry Data Security Standard) standards is extremely important due to the large number of credit and debit card transactions processed online and the high risk of data theft and fraud.

Here is how PCI DSS applies to e-commerce:

  • Secure transactions: Online stores must ensure that all transactions are conducted securely. This means that credit or debit card data must be encrypted when transmitted over the Internet to prevent hackers from intercepting it.
  • Secure data storage: If an online store stores a customer's credit or debit card information for future transactions, this data must be stored securely. PCI DSS sets strict rules about how and where this data can be stored.
  • Third-party payment processors: Some online stores use third-party payment processors to handle credit card transactions. In these cases, it is the merchant's responsibility to ensure that the payment processor also complies with PCI DSS.
  • Payment gateways: Payment gateways, which are the services that transmit credit or debit card transaction data to the payment processor or bank, also must comply with PCI DSS.
  • E-commerce service providers: E-commerce platforms and hosting service providers also have a responsibility to comply with PCI DSS.
  • Continuous maintenance: PCI DSS compliance is not a one-time event. It requires continuous maintenance and monitoring to ensure that security systems and practices remain up-to-date and effective.

It's important to remember that even if an e-commerce company uses third-party service providers to handle credit card transactions, the company is still responsible for ensuring PCI DSS compliance. Non-compliance can result in fines and penalties, as well as loss of the ability to accept credit or debit card payments.