Data Security Standards for Payment Industries
Standards laid by Visa, MasterCard, AmEx, Discover and JCB
PCI SSC(Payment Card Industry Security Standard Council) founded by Payment card companies like Visa, MasterCard, American Express, Discover and JCB which maintains the standards to protect cardholders data and reduce fraud. These standard widely known as PCI DSS(PCI Data Security Standard).
Any entity(banks, online or physical stores) which store, process and transmit debit or credit card data on behalf of these branded logo must comply with these PCI DSS standards.
Entities needs to comply with below DCI DSS Standards:
- Only allowed to store credit/debit card number but in unreadable format, cardholder name and expiration date. Magnetic strip or chip data, CVV/CVC, PIN are not allowed to store in any form.
- Never use PAN(Personal Account Number or credit/debit card number) when authenticating a customer.
- Never use PAN in email, chats or fax.
- Never full PAN store on local device like computer or shared drive.
PAN can be made unreadable by Truncation(only last 4/6 digits are stored), Tokenization(replaced by number of no value) and Encryption. Out of these only encryption technique needs to be in PCI-compliance as decrypting will result in full PAN number.
If an application is the system-of-record for all the cardholder data then its must maintain PAN. Tokenized PANs can retrieve the original PAN number from the ‘vault’ to process the transaction. So encryption and tokenization both should protect the data here and this application should keep track of all the logs and raise a suspicious activity.
Developers who works on card systems application should have OWASP top 10 security knowledge for PCI compliance. All the systems that store cardholder info must run vulnerability scans over network once per quarter along with internal and external penetration tests over infrastructure annually.
Additional Resources:
Payment Card Industry Data Security Standard
