{"id":4288,"date":"2024-04-27T06:15:11","date_gmt":"2024-04-27T12:15:11","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=regulations&p=4288"},"modified":"2024-06-03T15:23:19","modified_gmt":"2024-06-03T21:23:19","slug":"pci-ssc","status":"publish","type":"regulations","link":"https:\/\/trustarc.com\/regulations\/pci-ssc\/","title":{"rendered":"PCI Security Standards Council (PCI SSC)"},"content":{"rendered":"\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t\tStandard<\/span>\n\t\t\t\t\t\t\t\t\t\t

PCI Security Standards Council (PCI SSC)<\/h1>\n\t\t\t\t\t

The Payment Card Industry (PCI) Security Standards Council (SSC) is an international organization who collaborates with payment industry professionals and stakeholders to curate payment data security resources and industry best practices. The PCI SSC develops Data Security Standards (PCI DDS), which provides the latest technical requirements needed to design secure data payment applications.<\/p>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t\t

\n\t\t\t
\n\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t

Are you subject to PCI SSC?<\/h2>\n

Any entities or merchants who store, process or transmit cardholder data, sensitive authentication data, and\/or payment transactions must comply with relevant PCI Standards. Software developers and manufacturers who develop payment applications and devices are also subjected to relevant standards.<\/p>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t

\n\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t

Key obligations of the PCI DSS V4.0<\/h2>\n\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t

Minimal storage of account data<\/h4>\n

Organizations must develop a data retention policy specifying that only minimal cardholder data must be kept (e.g. a holder\u2019s primary account number (PAN) and card expiration date), and identify locations to retain the data to reduce risk of data compromise.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t

\n\t\t\t\t\t\t\t

Implementation of audit logs<\/h4>\n

Organizations need to implement audit log mechanisms across all system components and cardholder data to promptly detect and alert administrators of suspicious activities or unauthorized changes to accounts. Audit logs should also track changes to administrative privileges to prevent risks associated with an individual disabling the audit log system.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/section>\n\t\n\n\t

\n\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t

Configuration of network security controls<\/h4>\n

Organizations must establish an internal configuration policy outlining what is permitted and\/or not permitted within the database and network to manage network traffic between and from cardholder data environments (CDE).<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t

\n\t\t\t\t\t\t\t

Do not store sensitive authentication data after authorization<\/h4>\n

Sensitive authentication data, such as PINs and card verification codes, must not be retained once an authorized process is completed. If this data needs to be stored before completion, it must be encrypted with strong cryptography using a different key than the one used for encrypting the PAN.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/section>\n\t\n\n\t

\n\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t

Implementation and testing of security systems<\/h4>\n

Organizations must develop and keep up-to-date security policies and technical mechanisms to ensure the entire system network is secure, and regularly test rigor of the security mechanisms to effectively respond to abnormal activities.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/section>\n\t\n\n\t\t

\n\t\t\t
\n\t\t\t\t\"\"\t\t\t<\/div>\n\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\tWhitepaper<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t

Privacy and Data Security in Mergers & Acquisitions<\/h2>\n\t\t\t\t\t\t

Data can be a valuable asset or an incredible liability to your business. Proactive data privacy practices are strategically critical in this data economy because of the extreme cost of mistakes today.<\/p>\n\t\t\t\t\t\t