What is PCI?
PCI Security Standards Council is an open forum council formed by companies American Express, Discover Financial Services, JCB International, MasterCard and Visa.
In 2006, this council established rules and regulations to ensure security when handling credit card data in electronic transactions. The board is currently responsible for developing, managing, educating and raising awareness of the Safety Standards of the PCI, for example: the requirements of the Data Security Standard (DSS), Payment Application Data Security Standard (PA-DSS) and Pin Input Device (PED).
Payment Means Flow
In order to understand the flow, it is necessary to know the terms existing in the payment methods.
- Acquirer: Performs the role of settling financial transactions using cards. They communicate with card brands and issuing banks to process transactions. In short, the “card machines” are the acquirers.
- Flags: They are regulatory bodies that determine and standardize the rules of the credit card market. They define, for example, how many times it is allowed to split, whether it is international or national, among others.
All purchase transactions take place in seconds, but there are several steps in the course of the action. When inserting the card in the machine, an encrypted message with an authorization request to carry out the transaction is sent to the flag by the acquirer.
The flag contacts the issuing bank to check whether the transaction can be approved or not. If the answer is positive, the bank sends the authorization message to the brand, which authorizes the transaction. At that time, the purchase was made, but it is not the last step.
The purchase price must be paid by the consumer, and the seller must receive this money, so the buyer sends the sale data to the flag, the data is validated by the flag and then sent to the issuing bank, which does the rest of the action.
This whole explanation serves to understand the scope of the PCI's scope. PCI standards must be followed by any institution that stores, processes or transmits cardholder data.
PCI-DSS: Card Payment Industry Data Security Standard
The PCI-DSS consists of a set of Security requirements and procedures in order to protect cardholders' personal information, reducing the chances of data theft / leakage and fraud. Certification is a requirement of the main brands. The PCI-DSS has twelve requirements grouped into six objectives that must be 100% implemented and followed by the organization that wishes to obtain certification.
See the objectives and requirements below:
- Build and maintain a secure network through which to conduct transactions:
- Use a firewall strong enough to be effective, but without causing undue inconvenience to vendors and cardholders.
- Do not use passwords and default settings provided by vendors.
2. Cardholder information must be protected:
- Protect the cardholder's stored information (date of birth, document number, telephone number and e-mail address).
- Use encryption when transmitting data from holders when carried out over public networks.
- Keep the system protected from hackers:
- Use virus protection software, spyware and malware and that they are frequently updated.
- Develop and maintain secure systems and applications.
- Restrict access to credit card data according to the position of each employee in the company.
- Implement strong access control measures:
- Designate unique and confidential login data for each network and system user.
- Restrict physical and electronic access to card data.
- Monitor and test networks frequently:
- Track and monitor all network access and credit card data.
- Test the security of systems and processes regularly.
- Maintain a formal security policy:
- Define a security policy that is followed and maintained by everyone.
Why should companies implement PCI-DSS?
PCI-DSS certification brings together the elements necessary to ensure the highest security for transactions online, thereby decreasing the chances of an incident related to data leakage / theft or fraud occurring.
If any of these cases occurred, the institution could receive lawsuits, financial losses and image damage, which could even cause the bankruptcy of the institution. Therefore, investing in certification will enhance, convey confidence to the customer and ensure that Information Security is seen as a business strategy.
* Carolina Fernandes is a security consultant at [SAFEWAY]
Regarding the [SAFEWAY]
THE SAFEWAY is an Information Security company, recognized by its customers for offering high added value solutions, through Information Security projects that fully meet business needs. In these years of experience, we have accumulated, with great pride, several successful projects that have earned us credibility and prominence in our clients, which constitute in large part, the 100 largest companies in Brazil.
Today through more than 17 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.
Let's make the world a safer place to live and do business!