A weakness in any part of the payment ecosystem could result in a significant breach of cardholder data (CHD) within your organization, which is why it is so important to meet your Payment Card Industry Data Security Standard (PCI DSS). It can often be difficult, however, as each area in the payment ecosystem will require adherence to different PCI security standards in order to meet your specific compliance mandate.
The PCI Data Security Standards
To help organizations protect CHD, the PCI Security Standards Council (SSC) has developed three different standards, depending on function:
Figure 1- Payment Ecosystem and PCI Security & Compliance Standard
The PCI PIN Transaction Security (PTS) standard applies to companies that manufacture the devices accepting personal identification numbers (PINs). These devices are used by merchants, at the point of interaction, to capture card data and approve the transaction.
The Payment Application Data Security Standard (PA-DSS) was designed for software developers and integrators of applications that store, process, or transmit cardholder data as part of authorization or settlement. The objective of this standard is to minimize payment vulnerabilities to prevent the compromise of full magnetic stripe data located on the back of the card, or data stored on the chip. Merchants and service providers should only use payment applications that are PA-DSS certified.
PCI DSS applies to all entities involved in payment card processing. This includes merchants, processors, acquirers, issuers, service providers, and any other entities that store, process, or transmit CHD and/or Sensitive Authentication Data (SAD). These PCI compliance standards cover all technical and operational system components included in or connected to cardholder data.
Common PCI DSS Misconceptions
A common misconception made by many organizations is that PCI DSS requirements do not apply to them. These organizations believe that because they utilize PCI Security Standard Council approved PTS devices and PA providers, outsource card processing to a PCI DSS compliant vendor, or do not store cardholder data (CHD), they are compliant or out of scope for PCI DSS.
Unfortunately, this is not the case. Only a small part of the standard necessitates using compliant PTS devices, PA providers, and third parties, but the standard as a whole reaches beyond these specific requirements. This means that not storing CHD does not except you from the standard, it only makes certain requirements not applicable. PCI DSS is not limited to technology! Operational components such as people and process are addressed in the requirements as well. This includes policies, procedures, awareness training, and vendor management, among others.
Other organizations believe that low transaction volume exempts them from all or part of the PCI DSS requirements. Low transaction volume only effects reporting requirements to the card brands, but does not absolve the organization from being PCI compliant. Therefore, the organization is still required to comply with PCI DSS. While it is expected that you comply with PCI DSS, you may find that there are requirements that will not be necessary to put in place for your organization. The best factors to determine if a particular requirement is applicable to your organization would be your business processes and environment. For example, if you do not have a wireless network, most of the wireless network requirements are not applicable. In addition, there are also situations wherein an organization provides network access for an on premise vendor who accepts card payments. In this scenario, the organization providing access is considered a service provider, and is required to be compliant with PCI DSS.
Ultimately, if your organization stores, processes, and/or transmits CHD, you must comply with PCI DSS. This does not change, regardless of whether or not you store cardholder data (CHD), outsource card processing, use a compliant vendor, or perform limited transaction volumes.