PCI DSS - Definition, requirements and frequently asked questions

If you read "PCI DSS" and don't deal with it on a daily basis, you probably won't understand it at first. We get it. PCI or PCI DSS stands for 'Payment Card Industry Data Security Standard'. This is a security standard developed by all the major credit card companies, which all companies that store and/or process credit card data must comply with at all times. The objective? High data security, protection of customer (data) and thus maintaining and increasing trust in the credit card payment system.

What role does PCI play for companies?

Companies that process credit card data must be "PCI DSS compliant" because they depend on cooperation with the credit card providers. This means that they must set up a secure infrastructure for payments and protect it against theft, hacker attacks and data loss using firewalls and many other security measures. Strict digital and physical access control is also important.

But technical tools and infrastructure alone are not enough. Security training for the employees of these companies is at least as important, as they are responsible for the secure storage, display and transmission of sensitive credit card data in day-to-day business.

What are the consequences of a violation?

The strict PCI DSS requirements must be complied with as a matter of urgency. If data is lost or a PCI audit is not passed, there are serious consequences. High fines and reputational damage are the lesser of two evils; what is worse is that companies will then no longer be allowed to process credit card data and may lose a fundamental business basis. Now let's take a closer look at the security measures that are important for your employees in their day-to-day work as part of PCI DSS compliance.

Measures to protect credit card data

Security measures are necessary for all those who process credit card data in order to guarantee the protection of this sensitive data.

This includes for instance:

• If credit card data is required in documents or emails, it must be masked.
• Only authorized systems may be used to store credit card data.
• Credit card numbers may neither be displayed in full nor printed out in full.
• Sensitive authentication codes such as Card Verification Codes (CVC) or the PIN must never (!) be stored.
• Credit card data must always be treated as at least "confidential" (for one card. In the case of several cards, the data is even "strictly confidential".
   

Disregarding these measures or rules is a clear violation of the PCI DSS security standard.

What is PCI certification?

As we now know, every company that stores and processes credit card data must fulfil the PCI requirements and provide evidence of this on an annual basis. No matter how small or large the company is.

Only the scope of the audit methods depends on how high a company's annual transaction volume is. Accordingly, the larger the transaction volume, the stricter the requirements.

Conclusion: Why PCI DSS compliance is so important for companies

For the end customer, using a credit card is quick, uncomplicated and secure. And it should stay that way.

To achieve this, measures to protect the processed data must be implemented, communicated and trained. After all, it is the employees who actively process credit card data on a daily basis and need to know what they can and cannot do.

This means that everyone involved can trust in the security of their data and companies that work with credit cards protect this important business area through PCI DSS compliance.

Do you process credit card data and would like to train your employees?

Please contact us for further details.