Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard (PCI-DSS) is a framework for securing payment card data. This standard applies to all persons that perform payment card transactions or maintain payment card transaction data. The security goals of the PCI-DSS are:

  • Build and Maintain a Secure Network
    • Install and maintain a firewall configuration to protect cardholder data
    • Do no use vendor-supplied defaults for system passwords and other security parameters
  • Protect Cardholder Data
    • Protect stored cardholder data
    • Encrypt transmission of cardholder data across open, public networks
  • Maintain a Vulnerability Management Program
    • Use and regularly update anti-virus software or programs
    • Develop and maintain secure systems and applications
  • Implement Strong Access Control Measures
    • Restrict access to cardholder data by business need to know
    • Assign a unique ID to each person with computer access
    • Restrict physical access to cardholder data
  • Regularly Monitor and Test Networks
    • Track and monitor all access to network resources and cardholder data
    • Regularly test security systems and processes
  • Maintain an Information Security Policy
    • Maintain a policy that addresses information security for all personnel

The following is what the PCI-DSS considers payment card and sensitive authentication data:

  • Cardholder Data
    • Primary Account Number (PAN), the numbers on the front of the payment card.
    • Cardholder Name
    • Service Code, is data on the card or associated with the card that the card brand uses to distinguish between card types, (Platinum, Gold, etc)
    • Expiration Date
  • Sensitive Authentication Data (Cannot be stored, even if encrypted)
    • Full Magnetic Stripe Data
    • CAV2/CVC2/CVV2/CID, the 3 digit number located on the back of the card (4 digit on the front for AMEX)
    • PIN/PIN Block

For additional information, please visit the PCI Security Standards Council page on PCI-DSS.

© Wentworth Institute of Technology   |   550 Huntington Avenue   |   Boston, MA 02115   |   617-989-4590