Digital Transactions Authoritative, insightful and timely information for payments professionals
PCI-DSS has been an official standard since 2004 and over the last 16 years has guided payment solutions developers and the merchants in protecting card holder data. With every breach the security standards respond and strengthen so it’s important to stay at the forefront of the latest requirements and remain compliant with the regulations of PCI-DSS.
Global Payments Integrated is presenting what you need to know about PCI-DSS in 2020.
Knowing the Six
There are six major principles that make up the PCI-DSS that merchants and developers must know them so that they understand how these regulations are formulated. The six fundamental goals of PCI-DSS are:
- Maintain a secure network by having a good firewall and internal passwords instead of vendor supplied passwords.
- Protect card holders by having strong data encrypting.
- Use a program to help identify vulnerabilities.
- Restrict access to as many people as possible, and make sure that people with access has a unique ID.
- Test networks regularly to see how effective protections are.
- Have an updated policy to deal potential security issues.
Do’s and Don’ts of PCI-DSS
Do’s
- Know the flow of customer data
- Make sure cryptography is impeccable
- Read requirements frequently because they are updated often
- Validate the company annually
- Verify compliance of third parties who process customer data
Don’ts
- Store unnecessary cardholder information
- Store authentication data located in a cardholder’s chip or strip
- Display or print cardholder data that isn’t properly masked
- Store cardholder data on an unprotected device, or send through messages
- Place payment card system storage devices anywhere but a secured room
- Engage in any data security activity that violates regulations
Specifics for Front-End Development
There are a few things front-end development must consider to ensure cardholder safety, like having a SSL Certificate. Developers should inform businesses that security features work best when a customer has an updated version of a browser, and businesses should show this notice to their customers.
Software developers should also use security tools like input validation so that no bad actors can enter incorrect data or SQL commands that are meant to attack the application. Be sure to test often to check for security systems errors.
Specifics for Mobile Apps
PCI-DSS requires the mobile apps comply with 12 goals, such as making sure there’s a good firewall and ensuring no vendor-provided passwords are used. All data belonging to cardholders must be protected if stored, and the exchange of data must be encrypted.
To keep the app as safe as possible businesses have to restrict the access of customer data as much as possible. If there are people who need to access this type of data, be sure those people have ID numbers to be easily identified should something happen. All access to the network must be monitored, the information security policy should always be up-to-date and security systems checked often.
Rules for Storing Customer Data
According to the rules of storing data, the only cardholder data can be held includes the expiration date, cardholder name, and the account number, and any sensitive authentication data (SAD) must be erased after the transaction is cleared. If information is stored, business should do so in compliance with PCI rule 3.1 that “stored data can only be used for legal, regulatory, or business needs.”
Understanding the latest requirements of PCI-DSS is the key to protecting cardholder data and in ensuring your business is safeguarded against security risks.
