While relatively a newcomer to the IT compliance scene, PCI DSS has been mandated by all members of the PCI Security Standards Council, including Visa International, MasterCard Worldwide, American Express, Discover Financial Services and JCB International. What this means, essentially, is that all banks that process the payment transactions associated with these cards are responsible for ensuring that merchants meet the standard or face severe penalties.
PCI DSS has an extensive reach — it applies not only to your business, but also to virtually any vendor that supports your organization by accepting, storing, processing or transmitting payment card data, including personal data from credit and debit cards. Any business partner or vendor that handles cardholder data (CHD) or sensitive authentication data (SAD) in these capacities is classified as a PCI merchant and is required to comply. Objectives and requirements
The overriding goal of PCI DSS is to ensure payment card data confidentiality, which means making sure that you and your vendors have the proper operational processes and controls in place to secure customer data and ensure it is auditable. Specifically, PCI DSS requirements are intended to ensure that organizations
Build and maintain secure networks and systems
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information
Many of the PCI DSS standards have detailed requirements that focus on key processes and controls organizations must have in place for managing user identities and entitlements.
These include controls that: