This is one of the 52 terms in The Language of Cybersecurity published by XML Press in 2018 and the contributor for this term is John Elliott.

What is it?

A prescriptive information security standard designed to protect the confidentiality of credit and debit card data.

Why is it important?

All organizations that store, process, or transmit payment card data typically have a contractual requirement to comply with PCI DSS. Some countries and US states also mandate PCI DSS compliance by law.

Why does a business professional need to know this?

Organizations that store, process, or transmit credit or debit card data must balance PCI DSS requirements with their own cybersecurity assessment – in some cases, they may choose to outsource or segment their processing and apply PCI DSS to only a subset of their systems. Such organizations have two aims: to be secure and to comply with PCI DSS. An unhealthy balance between these two can lead to a “compliance first” culture, jeopardizing the organization’s cybersecurity.

PCI DSS is a prescriptive security standard consisting of twelve major security requirements (e.g. install and maintain a firewall configuration to protect cardholder data) broken down into around 280 sub-requirements. The requirements apply to all systems, processes, and people that store, process, or transmit cardholder data (known as the cardholder data environment or CDE) and all systems connected to the CDE.

Merchants that accept payment cards must formally validate their PCI DSS compliance to their acquiring merchant bank annually by undergoing an external audit or by completing a self-assessment. Service providers to merchants and financial institutions also must validate their compliance annually.

Organizations subject to PCI DSS typically segment their networks and systems into those parts that have to comply with PCI DSS and those that do not. Some organizations outsource operations that require PCI DSS compliance to vendors such as PayPal. The reason for this is that PCI DSS has much more stringent cybersecurity requirements than are necessary for systems that do not handle such sensitive data. Reducing the number of systems that must comply with PCI DSS also allows organizations to focus their compliance efforts on a smaller number of systems.

Organizations that suffer a breach in confidentiality of payment card data will receive safe harbor from card scheme financial penalties if the organization was PCI DSS compliant at the time of the breach.