What is PCI

What does PCI stand for?

The term PCI stands for Payment Card Industry and is used to describe credit card companies' initiative to ensure that credit card data and customer information is protected. The Credit Card Companies: American Express, Discover Financial Services, JCB International (Japan Credit Bureau), MasterCard Worldwide and Visa Inc, came together to develop the Payment Card Industry (PCI) Data Security Standards (DSS).

PCI DSS

Inadequate security of credit card data and customer credit information can lead to credit card fraud, financial loss and reduced consumer confidence in using credit cards as a means of electronic payment. The Payment Card Industry Data Security Standards (PCI DSS) are requirements and security standards designed to help prevent breaches of security that might lead to the loss of confidential information. The standard attempts to reduce and limit network security vulnerabilities for companies and organizations that process card payments.

PCI Compliance

Companies that process credit card transactions, accept credit card payments, store credit card data, or are associated in any way with the processing of personal or confidential credit card payment information need to secure and protect their networks. PCI Compliance guidelines are designed to ensure that proper steps have been taken to implement security best practices so that credit card customer information is adequately protected.

PCI Compliance Program

PCI DSS Compliance

Companies and organizations that deal with credit card processing and credit card payments for Visa, MasterCard, American Express and Discover need to be compliant with the Payment Card Industry Data Security Standards (PCI DSS). For many companies, implementing a PCI Compliance Program imposes additional time and costs that could otherwise be devoted to the organization's core business functions. The PCI DSS security standards are a framework of requirements designed to minimizing payment card security risk and ensure that customer information is secure and protected. These security requirements encompass various aspects of the organization, from the physical network used in payment card processing to the information security policy applied for monitoring and testing of network security needed to validate PCI security requirements.

PCI Compliance Reporting Suite

A PCI Compliance Reporting Suite can dramatically ease the burden of PCI compliance requirements by creating a centralized, secure audit repository for audit data including PCI DSS log management records. These management tools simplify and automate PCI reporting by providing enhanced security features to evaluate managed devices against PCI requirements to validate that safeguards are working as intended, thus offering a complete, low-cost PCI compliance solution for merchants and credit card processing service providers that store, process and transmit cardholder data.

PCI Compliance Security Procedures

Risk Based Approach to PCI DSS

The PCI Compliance industry is moving towards a risk based approach for PCI DSS validation of computer systems, software, and processes to streamline compliance costs while optimizing procedures. Companies that develop a risk based approach by categorizing risks and respective plans for the PCI compliance program expect to achieve the benefits that the methodology provides. Benefits of the risk based approach for PCI compliance include the development of documentation standards, reduced testing in the risk based environment and reduced time and effort from task differentiation, maintenance and optimization.

PCI Compliance Security Procedures

Even though PCI DSS and related PCI compliance activities broadly address risk-based approaches, certain aspects of the initiative should focus primarily on implementing specific risk based approaches. To ensure that a risk management approach is applied to allocating PCI compliance officer resources, companies should develop a quantitative risk-based-selection model for use in selecting managed devices for audit. The PCI compliance program can serve as a model or basis for various types of payment card transactions which will help predict where PCI audit inspections are most likely to achieve the greatest impact. Compliance models should include risk factors relating to the managed devices (such as the compliance history) and to the type of credit card processing involved. Risk factors relating to the specific device and the level of process understanding should also be considered.

PCI Compliance Best Practices

Separation of Duties is an enforcement process to prevent the occurrence of conflicts of interest and is among the most important fraud prevention PCI compliance best practices that is often ignored. Based on the concept of mutually exclusive roles, organizations restrict an individual PCI compliance officer or internal audit group from conducting all phases of the compliance audit, thus ensuring security without concerning about the activities of other PCI compliance security procedures and risk management audit activities.