There are various card schemes presently across the world namely, American Express, Discover, Master Card, VISA & JCB. These have their own security standards of protecting data, PINs and for protecting the production of cards. The standards tell banks how to ensure that their suppliers and their merchants took care of all the card schemes to make sure that data theft is prevented.

Having five set of security standards seemed confusing and illogical. So, in 2006, the Payment Card Industry Security Standards Council (PCISSC) was formed. They took the best of the five standards to make the PCI standards.

Basically there are five payment card industry standards.

• PCI-DSS (Data Security Standards) - This protects the card holders' data in organisation
• PCI PA-DSS (Payment Application Data Security Standard) - This helps people write secure software.
• PCI PTS (PIN Transaction Standards) - This protects PINs
• PCI P2PE (Point-to-Point Encryption Standards) - This ensures that the data is strongly encrypted at the point of interaction and where it is decrypted.
• Card Production - This secures the production and personalisation of payment cards.

The PCI DSS standards consists of around 288 logical and physical security requirements that cover six main areas:

• Build and maintain a secure network and systems: This includes requirements for storing and managing firewalls along with system hardening, removal of default password(s), default services and default security parameters.
• Protect cardholder data: This typically involves encryption while in transit and at rest.
• Maintain a Vulnerability Management Program: This involves extensive set of rules to develop software securely, patch and maintain developed and procured software(s), applications and operating systems. This also involves the requirement to run effective, anti-virus.
• Implement strong access control measures: This involves the rules that control the logical and physical access to the card holder data including privileged access control, the use if IDs and passwords and MFA.
• Regularly monitor and test the network: This includes the need to have extensive logging mechanism and the ability to monitor the logs combined with vulnerability scanning and a pen test schedule.
• Maintain an Information Security Policy: This involves the documentation of all the data and has to be understood by everyone in the organisation that has the responsibility to protect the cardholder data.

PCI SSC Personnel Accreditations:

• Qualified Security Assessor (QSA):
(a) Works for a QSA Company
(b) Understands PCI DSS
(c) Authorised to conduct PCI DSS assessments
• Internal Security Assessor (ISA)
(a) Works for an organisation that handles the cardholder data
(b) The organisation must be a PCI Participating Organisation
 (c) Understands PCI DSS
(d) Authorised to conduct PCI DSS assessments where this is allowed by the card schemes.
• Payment Application QSA
(a) Works for a QSA Company
(b) Will also be a normal QSA
(c) Understands PCI PA-DSS (software development)
(d) Authorised to conduct PCI PA-DSS assessments
• Point-to-Point Encryption QSA
(a) Works for the QSA Company
(b) Will also be a normal QSA
(c) Will have good experience in encryption and key management technologies
(d) Understands PCI P2PE
(e) Authorised to conduct PCI P2PE assessments
• Qualified Integrator and Reseller (QIR)
(a) Works for a company that installs point of sale software in retails merchants
(b) Will understand Point of Sale systems and how they need to be configured
• PCI Forensic Investigator (PFI)
(a) Works for a PFI Company
(b) Will also be a normal QSA
(c) Understands Forensics and how criminals break into the systems
(d) Authorised to conduct post-breach forensics investigations
• PCI Professional (PCIP)