Partner Program Overview
Designed to deliver unparalleled customer value and accelerated mutual growth by harnessing partner expertise and ColorTokens cybersecurity technology.Learn More
More than 15 years ago, a group of companies that processed credit card transactions came together to address a growing concern: There weren’t a clear, unified set of standards to ensure the secure processing, storage, and transmission of cardholder data. With e–commerce becoming more popular and cybercriminals more advanced, inconsistent guidelines governing credit card transactions created security vulnerabilities.
So, in December, 2004, American Express, Discover, JCB International, MasterCard, and Visa Inc. partnered to produce the first version of the Payment Card Industry Data Security Standard (PCI-DSS). That version, and numerous subsequent updates and revisions, contained a comprehensive list of requirements to ensure businesses maintain payment card data security. The key pillars are as follows:
A few years after PCI-DSS 1.0 was released, the founding companies formalized their role in ensuring credit card security by creating the PCI Security Standards Council (PCI–SSC). Since its launch in 2006, the PCI-SSC has overseen updates and revisions to PCI-DSS, and has worked with a variety of stakeholders from across industries to govern all things cardholder data.
PCI-DSS applies to three primary types of businesses:
The PCI-SSC releases a version or update to PCI-DSS roughly every year or two to ensure guidelines are in line with rapidly evolving technologies and security threats.
The current release, PCI-DSS 3.2.1, was published in May, 2018. The next version, PCI-DSS 4.0, is expected to be released in mid-2021. PCI-DSS 4.0 will be the 10th version of the standard to be released
PCI-DSS 4.0 is expected to differ from the current 3.2.1 in a few ways; the biggest is in how businesses will be able to achieve compliance. PCI-DSS 3.2.1 and earlier versions of the standard have specific and stringent requirements that dictate how companies must achieve compliance. PCI-DSS 4.0 will keep this existing prescriptive method for compliance, but it introduces another option: customized implementation. Customized implementation considers the intent of the objective and allows entities to design their own security controls to meet it.
To ensure businesses comply with PCI-DSS guidelines, there are penalties for non-compliance. These penalties are not assessed by the PCI-SSC, but rather by each of the card brands that a specific merchant may use to process credit card transactions.
The fee/penalty structure is not published publicly, but fees are higher for businesses that are out of compliance with PCI requirements when a breach occurs. However, penalties and fees can be assessed against a merchant organization even if the merchant was compliant at the time a breach occurs.
Below is a sampling of penalties organizations may face:
Although these may seem steep, the good news is that there are a number of tools that can help organizations comply with PCI-DSS requirements – especially with some of the added flexibility in Version 4.0. The PCI Council’s SAQ (self-assessment questionnaire) is a useful option, and cybersecurity software like Xshield, a best-in-class micro-segmentation solution can narrow the scope of an audit, providing significant assistance. Sign up for a free and customized demo of ColorTokens Xshield here.
About the Author: Brian Dixon, Certified PCI-QSA & CISSP, is a ColorTokens solutions architect and compliance expert