Zero Trust Security in Enterprise Java: What it is and How to Implement it
Cybersecurity isn’t just about building walls, fortresses, moats or any other external barrier anymore. Nowadays, it’s important to check […]
PCI DSS cybersecurity requirements are relevant for all sorts of organizations, whether you’re a financial institution or a business with customers and transactions. And, while there are already many laws, regulations, and standards designed to protect personal data, this standard is particularly focused on card transactions.
In this blog post, we explain the PCI-DSS, its standards, requirements, levels, and certification.
PCI-DSS stands for the Payment Card Industry Data Security Standards. These standards were established for all businesses that process and store cardholder data. The standards relate to payment cards such as:
The reasoning is that the data they hold and transmit impacts financial institutions and other transactions industries – not to mention the personal data of the owners of these individual cards.
The Payment Card Industry (PCI) needed a methodology for helping to prevent payment data breaches, payment card fraud, and identity theft. So, the Payment Card Industry Security Standards Council (PCI SSC) was formed in 2006 by major American and Japanese multinational payment card companies. Their purpose was to create and administer an information security card standard for global use.
There are a range of PCI Data Security Standards (DSSs) managed by the PCISSC. This is to ensure that every aspect of payment security is covered. These standards are constantly evolving in detail and number. Organizations can participate in this revision process through membership and contribution to Special Interest Groups (SIGs) run by the PCIDSS.
The PCI-DSS is the main security standard created by the SSC. It provides baseline requirements and other directives that enable businesses to measure their own security policies and procedures. Its purpose is to encourage global and consistent data security measures for the better protection of payment account data and the prevention of data breaches.
This is the most recent version of the PCI DSS. It was made available in 2022 and came into force onin March 2024. Version 4 is distinguished from its predecessors with updates on firewalls, multifactor authentication (MFA), and targets risk analysis. PCI DSS 4.0 is still undergoing updates and reorganization to deal with emerging threats and technologies.
For further information, see PCI DSS v4.0 Resource Hub.
It has its own Resource Hub.
There are other PCI security standards beyond the PCI-DSS. These have been developed to cater for different types of organizations and services, or roles. Here are two that are relevant to software developers, technology vendors ,and solution providers:
Both are part of a Software Security Framework that covers the secure design, development, and maintenance of existing and future payment software. Other PCI standards cover topics like point-to-point encryption (P2PE) and Personal Identification Number (PIN) security, among others.
PCI DSS provides 12 operational and technical compliance requirements to protect payment account data. These requirements are mandatory for any business that processes payment card transactions and are designed to safeguard sensitive cardholder data. This data must be handled securely at every stage, from processing to storage and transmission.
In each case, we’ve added some links to our Payara Server Enterprise documentation to act as pointers for ways in which our application server can help you work toward compliance with PCI-DSS.
Some or all these 12 requirements may be applicable to a business depending on whether and how it stores card data. The purpose of these requirements is to achieve set security goals (‘control objectives’):
Each requirement has hundreds of sub-requirements, adding further layers and levels of detail.
Not all organisations are required to comply with the PCI DSS in the same way. The number of transactions an organization manages annually determines its level of implementation and the strictness of reporting requirements. These are the PCI DSS compliance levels (also known as ‘reporting or merchant’ levels):
However, other factors beyond annual transaction numbers may shift an organisation to a different level. These include whether they have experienced a recent cyber-attack, or work in an area that poses a particular data security risk. The higher the level, the greater the risk. Correctly understanding the compliance level relating to your organization is the first step to PCI certification.
Typically, to achieve compliance, higher levelled organizations require external audits performs by registered assessors, whereas lower organizations complete self-assessment questionnaires (SAQs).
The higher the level, the more stringent the reporting requirements for compliance. For example, there are some requirements that Level 1 organizations can satisfy with SAQs too. But Level 1 merchants must complete an annual Report on Compliance (RoC) and complete an Attestation of Compliance (AoC).
Organizations need to validate their compliance on a yearly basis to achieve compliance. They are also expected to maintain this compliance at all times during the year. For example, all four compliance levels require the completion of quarterly network scans as well as annual penetration testing.
Also, any third-party service providers (TPSPs) used to process payment care data on behalf of a service provider need to be compliant. TPSPs may include:
Non-compliance may result in fines for the acquiring bank – the financial institution that processes credit and debit card payments for businesses – who bear the brunt of financial penalties. However, banks can hold the merchants and organizations that use their services accountable and pass the fines along to those who have offended. There are also initial and per item penalties.
Financial consequences may be heaviest for organizations that process large volumes of sensitive data, such as financial institutions. Data breaches can also result in financial loses through fraud, legal fees, and covering the costs of forensic investigations. Then there are non-monetary penalties through loss of trust and reputation, and consequent reduction in income.
The PCI DSS was specifically designed to focus on environments with payment card account data. However, it can also be used to protect against threats and secure other elements in the payment and financial ecosystems.
For further reading on your responsibilities around the PCI-DSS and cybersecurity resources, see:
In addition to the links and pointers already supplied in the PCI-DSS Requirements section above, we recommend you start finding out more about how Payara Services Enterprise’s cybersecurity measures:
Read our Tech Blog, to keep up to date with the latest data security legislation, regulations, and standards. And follow the links to find out how your development team can try one of our products:
Share:
Cybersecurity isn’t just about building walls, fortresses, moats or any other external barrier anymore. Nowadays, it’s important to check […]
Middleware runs quietly in the background of most applications, which makes it easy to overlook its lifecycle. In effect, […]
If your organization runs Jakarta EE applications, securing the application server they rely on is not a one-time project. […]