Merchants, financial institutions, hardware and software developers, and industry professionals that use or create programs for card transactions need to follow PCI Data Security Standards (PCI DSS) or the Payment Application Data Security Standard (PA DSS). Merchants and any entity using card transactions need to meet PCI DSS standards, which include using PA DSS programs, and software developers and manufacturers need to create such PA DSS-compliant programs.
PCI DSS specifies tools and measures for ensuring the safe handling of card information and lays out the framework for developing a security process for accounts. The network needs to prevent, detect, and react quickly to any security breach, and businesses offering card transactions need to comply with these security standards. With a secure system for card data, a business is more trustworthy to customers and has a good reputation with acquirers and payment brands. Not complying with PCI DSS security standards makes a business open to security breaches, which can result in data theft, loss of sales, lawsuits, insurance claims, government fines, or canceled accounts. Additionally, having a PCI DSS-compliant network security plan makes a business more likely to meet other, similar standards, such as HIPAA and Sarbanes-Oxley.
A business offering card transactions needs to follow standard network security procedures, from assessment to reporting. An assessment, in terms of protecting cardholder data, must compile all IT assets and business processes and analyze the network for vulnerabilities. If vulnerabilities do exist, they must be fixed. Cardholder data, at the same time, should not be stored unless the business needs it. After an assessment, a business needs to put together remediation validation records and submit compliance reports to all banks and card brands with which your company interacts.
PCI DSS compliance, however, is not enforced by the PCI Security Standards Council but instead by payment brands. The PCI Security Standards Council specifies and updates the technical and operational requirements for protecting card data, and the payment brand enforces these standards. A business needing to know the exact standards and requirements should contact the payment brand – not the PCI Security Standards Council.
The card-processing applications used by such businesses need to be PA DSS compliance, and a business is only PCI DSS compliant when PA DSS applications are used. PA DSS applies to all software vendors that create card applications for storing, processing, and transmitting data. Businesses using PA DSS-compliance applications are less likely to have security breaches. If a card processing application is developed internally by the business, however, PA DSS does not apply, and instead the software needs to be PCI DSS compliant.
PCI DSS requirement 3.3 is a key standard for all businesses and applications. Pertaining to viewing full card numbers, PCI DSS 3.3 requires that full card numbers be masked unless the business has a specific need for all digits. For example, if a transaction was entered incorrectly, the business needs to reference the full card number. However, the numbers may not be displayed permanently, as card applications may use time outs to mask the digits after a certain period of time.