Main Goals of Payment Card Industry Data Security Standard (PCI DSS)
IS3110 Risk Management in Information Technology Security
JUAN F TRAVIS
June 22, 2014
Introduction
There is a pressing need for better security of credit card transactions on the Internet as more and more people make purchases online, and we move to more secure payment mechanisms such as Chip and PIN in face-to-face transactions. In particular, the sensitive credit card details must be stored and processed securely by merchants. In general, people need to have faith that their personal information that was difficult to compromise when it was stored on paper will still be adequately protected when it is stored online. There are numerous issues for online storage because the large amounts of data are an inviting target for criminals and there are multiple ways of compromising it externally over a network or internally by insiders breaching the physical and procedural controls. We investigate the Payment Card Industry Data Security Standard (hereafter abbreviated as PCI DSS) created by the credit card industry to protect sensitive credit card information when it is stored and processed online. This standard may suggest a way forward in the protection of other sensitive data held online such as medical records. However, it is arguable if PCI DSS deals with the right problems in the right way and some issues of secure online storage are inherently difficult.
The PCI DSS Requirements
The PCI DSS standard has 12 requirements within 6 groups. It applies to any organization such as merchants where credit card numbers are stored, processed or transmitted. The requirements apply to any system or component with access to the cardholder data including secondary systems and applications connected over a network as well as the primary storage and processing computers. The PCI DSS is not comprehensive and is supported by other standards to deal with card readers...