What is PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a mix of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International & American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme aims khổng lồ secure credit và debit thẻ transactions against data theft và fraud.

Bạn đang xem: Payment card industry data security standard

While the PCI SSC has no legal authority to compel compliance, it is a requirement for any business that processes credit or debit card transactions. PCI certification is also considered the best way lớn safeguard sensitive sầu data và information, thereby helping businesses build long lasting and trusting relationships with their customers.

PCI DSS certification

PCI certification ensures the security of thẻ data at your business through a phối of requirements established by the PCI SSC. These include a number of commonly known best practices, such as:

Installation of firewallsEncryption of data transmissionsUse of anti-vi khuẩn software

In addition, businesses must restrict access to cardholder data và monitor access khổng lồ network resources.

PCI-compliant security provides a valuable asset that informs customers that your business is safe khổng lồ transact with. Conversely, the cost of noncompliance, both in monetary và reputational terms, should be enough to convince any business owner to lớn take data security seriously.

A data breach that reveals sensitive sầu customer information is likely lớn have sầu severe repercussions on an enterprise. A breach may result in fines from payment thẻ issuers, lawsuits, diminished sales and a severely damaged reputation.

After experiencing a breach, a business may have sầu lớn cease accepting credit thẻ transactions or be forced khổng lồ pay higher subsequent charges than the initial cost of security compliance. The investment in PCI security procedures goes a long way toward ensuring that other aspects of your commerce are safe from malicious online actors.

PCI DSS Compliance levels

PCI compliance is divided inkhổng lồ four levels, based on the annual number of credit or debit card transactions a business processes. The classification cấp độ determines what an enterprise needs lớn do to lớn remain compliant.


Level 1: Applies to lớn merchants processing more than six million real-world credit or debit thẻ transactions annually. Conducted by an authorized PCI auditor, they must undergo an internal audit once a year. In addition, once a quarter they must submit khổng lồ a PCI scan by an Approved Scanning Vendor (ASV).Level 2: Applies to lớn merchants processing between one & six million real-world credit or debit card transactions annually. They’re required lớn complete an assessment once a year using a Self-Assessment Questionnaire (SAQ). Additionally, a quarterly PCI scan may be required.Level 3: Applies khổng lồ merchants processing between 20,000 and one million e-commerce transactions annually. They must complete a yearly assessment using the relevant SAQ. A quarterly PCI scan may also be required.

Xem thêm: New Give It A Shot Là Gì - Give It A Shot Nghĩa Là Gì

Level 4: Applies to merchants processing fewer than trăng tròn,000 e-commerce transactions annually, or those that process up to one million real-world transactions. A yearly assessment using the relevant SAQ must be completed & a quarterly PCI scan may be required.

PCI DSS requirements

The PCI SSC has outlined 12 requirements for handling cardholder data và maintaining a secure network. Distributed between six broader goals, all are necessary for an enterprise to lớn become compliant.


Secure network

A firewall configuration must be installed & maintainedSystem passwords must be original (not vendor-supplied)

Secure cardholder data

Stored cardholder data must be protectedTransmissions of cardholder data across public networks must be encrypted

Vulnerability management

Anti-virut software must be used and regularly updatedSecure systems & applications must be developed và maintained

Access control

Cardholder data access must be restricted to a business need-to-know basisEvery person with computer access must be assigned a unique IDPhysical access to cardholder data must be restricted

Network monitoring and testing

Access to lớn cardholder data & network resources must be tracked & monitoredSecurity systems & processes must be regularly tested

Information security

A policy dealing with information security must be maintained

PCI compliance & web application firewalls

Since its formation, PCI DSS has gone through several iterations in order lớn keep up with changes to lớn the online threat landscape. While the basic rules for compliance have sầu remained constant, new requirements are periodically added.

One of the more significant of these additions was Requirement 6.6, introduced in 2008. It was established to secure data against some of the most common web application attack vectors, including SQL injections, RFIs & other malicious inputs. Using such methods, perpetrators can potentially gain access lớn a host of data—including sensitive customer information.

Satisfying this requirement can be achieved either through application code Reviews or by implementing a website application firewall (WAF).

The first option includes a manual Reviews of website application source code coupled with a vulnerability assessment of application security. It requires a qualified internal resource or third party lớn run the nhận xét, while final approval must come from an outside organization. Moreover, the designated reviewer is required khổng lồ stay up-to-date on the lachạy thử trends in web application security to ensure that all future threats are properly addressed.

Alternately, businesses can safeguard against application layer attacks by using a WAF, deployed between the application và clients. The WAF inspects all incoming traffic and filters out malicious attacks.

Offered by mongkiemthe.com, our cloud-based WAF blocks web application attacks using a number of different security methodologies, including signature recognition và IPhường reputation. Being fully compliant with PCI Requirement 6.6, it can be configured và ready to use within minutes.

To make compliance even easier, the mongkiemthe.com cloud WAF doesn’t require any hardware installation or management overhead. This enables all organizations—from large companies to startups & small and medium enterprises, which may not have the requisite security infrastructure and staff—lớn remain protected and PCI DSS compliant.

Bài viết liên quan

Trả lời

Email của bạn sẽ không được hiển thị công khai. Các trường bắt buộc được đánh dấu *