Skip to content

[vc_single_image image=”5498″ img_size=”full”]

Making Sense of PCI DSS

Payment card fraud and data breaches, often in the news and a concern for most consumers, should be of equal or greater concern to any business that accepts credit or debit card payments or that captures, transmits, stores or processes cardholder data. In an increasingly global economy, global security standards and data privacy laws, are necessary to protect payment card data. Realizing the need to create worldwide security measures, the Payment Card Industry Security Standards Council (PCI SSC) was formed in 2006 to oversee the creation and global distribution of the Payment Card Industry Data Security Standard (PCI DSS). A living document, the standard is updated periodically to address emerging threats and evolving technologies. All business entities that interact with cardholder data at any point are subject to these requirements. As a result, PCI DSS has a significant impact on contact centers and their back-office operating areas that handle credit or debit card interactions or data.

PCI DSS Guidelines

PCI DSS, as set forth by the SSC, is recognized globally as the benchmark for payment card data protection. PCI DSS contains requirements for merchants, service providers, processors, financial institutions, or any entity collecting, storing or transmitting this data worldwide. The guidelines detail minimum standards that must be followed to safeguard payment card information end-to-end, from acquisition of the data, through transmission and processing, during storage and retrieval, up to and including destruction. These standards are used globally by the 5 major payment card brands (American Express, Discover Financial Services, JCB International, MasterCard and Visa, Inc.) as the basis of their individual data security and compliance programs. The payment brands and their merchant banks set specific contractual guidelines for entities accepting their credit or debit cards to ensure the entities’ compliance with PCI DSS.

The underlying structure of PCI DSS consists of 12 foundational requirements for compliance categorized under 6 broader topics. Beneath each of the 12 high-level obligations are multiple subsections detailing specific expectations. Specifically, the 6 categories and 12 high-level requirements of the current version of PCI DSS are:

“Build and Maintain a Secure Network and Systems”

  • “Install and maintain a firewall configuration to protect cardholder data”
  • “Do not use vendor-supplied defaults for system passwords and other security parameters”

“Protect Cardholder Data”

  • “Protect stored cardholder data”
  • “Encrypt transmission of cardholder data across open, public networks”

“Maintain a Vulnerability Management Program”

  • “Protect all systems against malware and regularly update anti-virus software or programs”
    “Develop and maintain secure systems and applications”

“Implement Strong Access Control Measures”

  • “Restrict access to cardholder data by business need to know”
  • “Identify and authenticate access to system components”
  • “Restrict physical access to cardholder data”

“Regularly Monitor and Test Networks”

  • “Track and monitor all access to network resources and cardholder data”
  • “Regularly test security systems and processes”

“Maintain an Information Security Policy”

  • “Maintain a policy that addresses information security for all personnel”

The PCI SSC website, www.pcisecuritystandards.org, contains detailed information regarding the 12 foundational PCI DSS requirements outlined above and their subsections. Also on the website are information supplements, frequently asked questions and answers, testing procedures, training and a glossary, among other resources. The website provides clarifications for merchants, hardware/software developers and manufacturers, financial institutions and industry professionals impacted by PCI DSS. For more information about PCI DSS, please contact Jana Benetti at Jana.benetti@DMGConsult.com or 623-935-4111.

Ask the Experts

Question:
We keep hearing about this concept called the Internet of Things. What does it mean and what is the impact on customer service?

Answer:
The Internet of Things (IoT) is a concept where objects have the ability to constantly transfer and receive data without the need for human intervention. A “thing” can be any object, natural or man-made, that can be allocated an Internet Protocol (IP) address and transmit or receive data over a network. Today IP-enabled sensors are in objects such as medical equipment (computed tomography (CT) scanners), electrocardiography (EKG) monitors, and blood glucose monitoring systems); automobiles; wearable devices (the wristwatch); home appliances (refrigerators, televisions, heating, ventilation and air conditioning (HVAC) systems, etc.); heavy machinery (tractors, bulldozers, oil and gas drilling equipment, etc.); as well as the more common devices such as smartphones, tablets, etc. The maturation of wireless, mobile and micro-electromechanical systems (MEMS) technology, along with the accessibility and speed of the Internet, are playing an important role in advancing the concept of IoT.

IoT could revolutionize the world of customer service, converting many services from reactive to proactive… Read More

Have a question for the DMG Experts? Ask Us!

DMG Consulting LLC is a leading independent research, advisory and consulting firm specializing in unified communications, contact centers, back-office and real-time analytics. Learn more at www.dmgconsult.com.