PCI DSS - Protecting payment card information

What does PCI DSS stand for?

PCI DSS stands for Payment Card Industry Data Security Standard. It is a standard concerning security of payment card data. Visa, MasterCard and American Express have collaborated to create this single set of industry standards.

What does PCI DSS mean?

Simply put, PCI DSS details the minimum standards required of anyone who stores, processes or transfers payment card data. Not all the standards are applicable to every business - it depends on what a given business does with payment card data, and how.

How do you define 'payment card data'?

Payment card data includes any of the information printed on a credit or debit card, or encoded on a magnetic stripe or microchip.

Examples of payment card data include:

• Data stored in the magnetic strip on the back of the card
• The three digit card validation code
• The cardholder's PIN
• Card number (also known as the Primary Account Number or PAN)
• Expiry date
• Cardholder's name

Years ago, when most credit card transactions took place using paper vouchers, security was straightforward - you could 'store' cardholder data in a safe, and destroy it by shredding and burning all copies.

In the modern era, most card transactions are processed electronically. The focus has shifted to ensuring that all systems that 'touch' cardholder data (for example, EFTPOS terminals, web-hosting providers, shopping carts and ERP systems) keep it secure. Visa, MasterCard and American Express (as leaders in the payment card industry) took the lead to help ensure the industry understands its obligations.

What does PCI DSS compliance mean?

To be PCI DSS compliant, you first need to understand exactly where and how your business stores, transmits or processes payment card data. Once you understand that, you can then assess whether your business meets the required security standards.

If your business doesn't store, process or transfer payment card data, then becoming PCI DSS compliant is relatively easy.

What is my first step?

To assess the level of compliance of your specific business and ensure it becomes (then stays) compliant, you need to complete a self-assessment questionnaire once each year.

The self-assessment questionnaire (SAQ) is a free and confidential tool. This website contains detailed information on which specific self-assessment questionnaire applies to your business. If you can't decide which SAQ to use, please consult your businesses IT advisor or contractor.

What else do I have to do?

You need to ensure your computer network remains secure. Part of maintaining a secure environment for payment card data is maintaining a secure computer network - particularly where your network 'touches' the internet.

To help you maintain a secure network, you need to ensure that any internet connections (modem, DSL or dial-up), internet servers or routers, Websites, E-mail systems, Firewalls or Data transmission points (including FTP and DNS) are scanned for potential vulnerabilities every three months or less by an approved scanning vendor.

If you monitor or report on PCI Compliance, ASB recommend keeping a copy of each completed scanning report and self-assessment questionnaire that you complete.

ASB may be able to provide you access to an easy-to-use PCI Compliance portal to assist you with your PCI Compliance and reporting requirements. Please contact the ASB Merchant Sales team to find out whether your business is eligible for access.