The PCI Data Security Standard (PCI DSS) is a multifaceted, layered framework developed and endorsed by the major card brands as an industry standard to protect cardholder data in any organization, system, network, or application that handles it. It is a set of minimum security requirements that all industry participants are required to adhere to at all times. Full compliance is mandatory for any entity that stores, processes, and/or transmits cardholder data. Each of the 12 high-level security requirements is broken down in numerous smaller sub-requirements. The high-level requirements as detailed by the PCI Security Standards Council (PCI SSC), the governing body of the Standard, are as follows:
| Build and Maintain a Secure Network |
| Requirement 1: |
Install and maintain a firewall configuration to protect cardholder data |
| Requirement 2: |
Do not use vendor-supplied defaults for system passwords and other security parameters |
| Protect Cardholder Data |
| Requirement 3: |
Protect stored cardholder data |
| Requirement 4: |
Encrypt transmission of cardholder data across open, public networks |
| Maintain a Vulnerability Management Program |
| Requirement 5: |
Use and regularly update anti-virus software |
| Requirement 6: |
Develop and maintain secure systems and applications |
| Implement Strong Access Control Measures |
| Requirement 7: |
Restrict access to cardholder data by business need-to-know |
| Requirement 8: |
Assign a unique ID to each person with computer access |
| Requirement 9: |
Restrict physical access to cardholder data |
| Regularly Monitor and Test Networks |
| Requirement 10: |
Track and monitor all access to network resources and cardholder data |
| Requirement 11: |
Regularly test security systems and processes |
| Maintain an Information Security Policy |
| Requirement 12: |
Maintain a policy that addresses information security for all personnel |
Why PCI & PA-DSS Compliance Matters
Both Visa and MasterCard require merchants that are utilizing third party provided payment applications to only use those applications that comply with the PA-DSS. Merchants’ card processing environments must also comply with the PCI DSS. Right now, credit card processors are contacting your customers requiring them to update to a PCI compliant environment and use a PA-DSS compliant application in accordance with the card brand rules. This means that software companies who do not develop PA-DSS compliant solutions will soon be left behind their competitors who do, and will rapidly lose their reseller base.
Vantiv takes data security very seriously. As a condition of processing with Vantiv, you are required to provide proof of PCI DSS and PA-DSS certification before your payment solution can be enabled in production on the Vantiv platform. Thereafter, you must also maintain PCI DSS and PA-DSS compliance at all times. Your application will not be enabled in production on the Vantiv platform until this can be confirmed and may be disabled without notice should your compliance with either PCI DSS or PA-DSS lapse.
Is Your Application Up to Standards?
If your solution is designed to capture, process, store, or transmit credit card data, you are obligated to comply with one or more of the payment card industry security standards.