Payment Card Industry Data Security Standard

This page covers PCI DSS - what it is, why it's important, and compliance-best practices.

 

At a Glance - What is PCI DSS?

The Payment Card Industry Data Security Standard is a global information security standard that provides a baseline of technical and operational requirements designed to protect payment data. This standard was assembled by the Payment Card Industry Security Standards Council (PCI SSC) and was developed to help organizations that process credit card payments prevent fraud through enhanced security measures. This standard applies to all organizations that hold, process, or pass along cardholder information.

PCI DSS 4.0 is the latest version of the payment card industry standard. It incorporates PCI DSS 3.2, which offers both security and performance improvements to previous versions. The latest version also features new requirements that extend beyond simple compliance with Visa MasterCard and Discover Financial Services to include ATM, mobile POS and advanced multi-factor authentication strategies that can help protect physical access to computers and networks.

 

PCI DSS 4.0

Image Source: PCI

 

PCI Audits

Any organization bound to adhere to PCI DSS is subject to PCI compliance auditing, which is a time consuming and expensive process. The most common process for testing PCI compliance is with the use of a WiFi scanning tool. Click here to read our article on complying with PCI audits.

 

pci-compliance-logo

 

Compliance Through Network Segmentation

A key practice in complying with PCI DSS in a wireless network environment is by implementing network segmentation, wherein a specific segment of your wireless network infrastructure is solely dedicated to processing payment information. The network environment in which payment information is handled is referred to as the “cardholder data environment” (CDE). CDE isolation is not a PCI DSS requirement, but it is recommended as a means of reducing security risk and reducing the scope and cost of a potential PCI compliance audit. Click here to read more in detail about network segmentation in achieving PCI DSS compliance.

 

PCI DSS Network segmentationImage Source: PCI

 

PCI DSS and Wireless

If wireless technology is used to store, process, or transmit cardholder data (for example, a wireless point-of-sale device), the PCI DSS requires that testing procedures be implemented for securing the wireless environment. PCI DSS Requirement 11.1 / 11.2.1 specifically calls for the identification and elimination of any rogue access points. This is most commonly performed using a WiFi scanning tool, but can also be done through physical component inspections or wireless intrusion detection systems (IDS). Click here to read more information about scanning for rogue access points in compliance with PCI DSS.