The Payment Card Industry Data Security Standard (“PCI DSS”) was developed as a standard to help organizations that process credit, debit and stored value card payments 1) prevent credit card fraud, cracking and various other security vulnerabilities and threats; and 2) help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS is a set of comprehensive requirements for enhancing payment account data security and is intended to help organizations proactively protect customer account data. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. A company processing, storing, or transmitting payment card data must be PCI DSS compliant or risk losing their ability to process credit card payments and being audited and/or fined.
Merchants and payment card service providers must validate their compliance periodically. This validation may be conducted by auditors—i.e. persons who are the PCI DSS Qualified Security Assessors (“QSAs”). Most companies, perform a Self Assessment Questionnaire (“SAQ”). The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized.
Build and Maintain a Secure Network                Requirement 1: Install and maintain a firewall configuration to protect cardholder data        Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters        
Protect Cardholder Data                Requirement 3: Protect stored cardholder data        Requirement 4: Encrypt transmission of cardholder data across open, public networks        
Maintain a Vulnerability Management Program                Requirement 5: Use and regularly update anti-virus software        Requirement 6. Develop and maintain secure systems and applications        
Implement Strong Access Control Measures                Requirement 7: Restrict access to cardholder data by business need-to-know        Requirement 8: Assign a unique ID to each person with computer access        Requirement 9: Restrict physical access to cardholder data        
Regularly Monitor and Test Networks                Requirement 10: Track and monitor all access to network resources and cardholder data        Requirement 11: Regularly test security systems and processes        
Maintain an Information Security Policy                Requirement 12: Maintain a policy that addresses information security        
The SAQ consists of 227 questions related to computer security and compliance with the PCI DSS. It is a cumbersome and lengthy process that can be technically challenging to the unsophisticated. Many of the questions are complex, requiring an interpretation for non-expert users. The DSS is written from an Information Technology perspective, rather than a business process perspective, causing interrelated requirements to appear in different places throughout the various requirements. Guidance documentation is equally complex and there is no single document for a user of the DSS to find explanations and definitions.