BLOG Beyond DSS: Expanding Horizons in PCI Compliance
David Schmid

The Payment Card Industry (PCI) Security Standards have emerged as critical in maintaining payment security. Any entity involved in storing, processing, or transmitting payment data is required to comply with these industry standards. While the Payment Card Industry Data Security Standard (PCI DSS) often takes most of the attention in discussions about PCI compliance, the suite of standards extends well beyond DSS. These standards address specialized areas and enable innovative payment methods, making navigation through them a challenging yet essential task. The expanse of the PCI suite is reshaping the landscape of the payment industry, pushing boundaries beyond traditional methods...

PCI Compliance Title Image: Phone and Banking Card Secure

Table of Contents

The Core and Beyond

The PCI DSS is a broad and comprehensive standard designed to secure cardholder data across a wide range of entities. Management's focus often falls on certain nuances of this extensive standard, occasionally overshadowing equally critical aspects. Notably, the security of PIN data - a fundamental component of transaction security - sometimes receives less attention than it deserves.

Anyway, the vast scope of PCI DSS and other traditional standards such as PIN is just the starting point...

Credit Card Data Protection Image

To address more specific aspects and complement the broader objetives of payment security, the PCI Council has developed additional standards, each with its dedicated focus and certifies assessors for compliance validation.

By focusing on specific areas of payment security, the complementary standards simplify the process of achieving and maintaining PCI DSS compliance.

Meanwhile, innovations like mobile payments, contactless transactions, and near-field communication (NFC) are revolutionizing payment methods. The newer PCI standards are paving the way for secure payments in this evolving ecosystem. They mark a shift from traditional hardware-based security to solutions on "Commercial Off-The-Shelf" (COTS) devices like smartphones and tablets, becoming increasingly relevant.

The PCI Ecosystem

The PCI Security Standards Council continually updates and expands its suite of standards to address emerging challenges and technologies. Although the official "Overview" page on the PCI website lists 15 standards, this count is already outdated with the introduction of the Mobile Payments on COTS (MPoC) standard in 2022, bringing the total to at least 16.

Image: Overview of the PCI Standards
Image: PCI Security Standards Ecosystem, November 2019. Source

The graphic above provides a snapshot of these standards and their applications, showing where they apply within the payment process. However, for a more nuanced understanding, I have segmented these standards into distinct groups based on their specific focus areas. This classification aims to improve the understanding of how these various standards interplay and support the overall objective of securing payment card data.

Traditional Cardholder Data Security

A series of standards including PCI DSS form the bedrock of traditional cardholder data security. These standards are specifically constructed to protect cardholder information - such as the cardholder's name, Primary Account Number (PAN) and security codes (CVV, CVC) - throughout the entire payment process, from the initial transaction point to data processing and storage.

Image: Man holds card near a pos terminal.

Traditional PIN Security

While DSS is often at the forefront of discussions on cardholder data protection, it is crucial to recognize that the security of Personal Identification Number (PIN) data is targeted through a separate series of PCI standards. These standards are designed to safeguard this sensitive component of cardholder verification.

Image: Woman paying by card entering pin

Commercial Off-The-Shelf (Mobile) Devices

The emergence of so-called "Commercial Off-The-Shelf" (COTS) devices in the payment landscape represents a significant shift towards more accessible and flexible payment processing solutions. Recognizing this trend, the PCI Security Standards Council has developed standards that focus on these widely used devices.

The somewhat cumbersome term COTS refers to readily available consumer hardware, such as smartphones and tablets, which are not specifically designed for payment processing but can be repurposed for this function. The following standards are making payment processing more accessible and adaptable to these devices, aligning with modern lifestyle and business practices.

Image: Smartphones tap to pay

3D Secure Protocol

The 3D Secure (3DS) Protocol refers to a framework for online transaction security, designed to improve the security of credit and debit card transactions over the internet. It is widely known for its use in systems like "Verified by Visa", "MasterCard SecureCode" and "American Express SafeKey". The two key standards address different aspects of its transaction processes:

Software Security Framework

The PCI Software Security Framework (SSF) is a collection of standards and programs to ensure the security of payment software throughout its lifecycle and address the evolving security needs in the payment software ecosystem and to replace the previous Payment Application Data Security Standard (PA-DSS). While the PA-DSS focuses on payment applications as part of the authorization or settlement, the SSF has a broader scope and is more flexible, covering a wider range of software types and development practices.

Card Production

The PCI Security Standards Council rigorously focuses on two parts within the production of payment cards: The tangible materials and the sensitive data involved:

The Big Picture: Understanding the Payment Card Transaction Process

When we go to a store and use our card for a transaction - whether by touching the card or entering the card - a seemingly simple action triggers a sophisticated chain of events involving multiple parties.

Understanding this network of interactions is crucial for effective PCI scoping. It lays the groundwork for identifying where and how cardholder data is handled. However, it is important to recognize that this overview only scratches the surface of the complex environment in which these transactions occur. Comprehending this "big picture" is just the first step in much deeper exploration.

Image: Woman paying with card online

But now let's demystify this process:

This cycle is similar for ATM transactions, with the primary difference being that the transaction begins at an ATM terminal rather than a merchant's card terminal.

With this transaction map in mind, I would like to refer one more time to the initial official overview graphic in the "The PCI Ecosystem" section. It will now provide a clearer understanding of which PCI standard applies to which of these various aspects in the transaction cycle.

Scoping for PCI Compliance

Understanding the scope is a crucial step in any organization’s journey toward PCI compliance. PCI compliance is a technically demanding and rigorous standard, and an accurate comprehension of scope is essential to ensure that the compliance efforts are both effective and comprehensive.

In the context of PCI compliance, scope can be defined as the extent to which an organization interacts with cardholder data. This includes any system, network, or process that stores, processes, or transmits cardholder information. The process of becoming PCI compliant begins with a thorough identification of the scope. This involves an in-depth analysis proportional to the organization's size and its exposure to cardholder data. The scope delineates the boundaries within which the PCI requirements will be implemented.

Methodology for Scope Creation

Scope Reduction Techniques

Risk Management and PCI Scope

In conclusion, accurately defining and understanding the scope is the first and perhaps most crucial step in the PCI compliance process. It sets the stage for targeted and effective compliance efforts, ensuring that all relevant areas of cardholder data interaction are securely managed and protected.

Conclusion: Embracing Change in the Payment Landscape

As our journey through the landscape of PCI Security Compliance unfolds, it becomes increasingly clear that the payment industry is on the edge of a substantial transformation. This shift, fueled by rapid technological advancements and innovations, is reshaping the payment landscape and compliance strategies.

The author (David Schmid) within welcomes these changes as they not only comply in line with PCI Security Compliance but also offer opportunities for greater innovation in payment methods, recognizing the immense potential these advancements hold, being proud contributing to such approaches.

A prime example of this innovation is the integration of advanced programming languages and frameworks, such as Rust and WebAssembly, into the payment industry. These technologies offer a robust and secure foundation for developing efficient payment applications.

Organizations that embrace these changes and integrate them into their compliance and security strategies will not only meet the current standards but also pave the way for a new era of payment processing. This is a journey of not just safeguarding transactions but redefining them for the digital age.

Image: Paying in a cafe with phone

🌟 Support My Quest

If the content within these pages has enriched your journey, consider showing your support by sharing a potion of coffee with me. Such a gesture, though small, is a mighty boon to my spirit and craft. It allows me to continue sharing the lore you hold dear.

☕ Buy Me a Coffee

Let it be known that the posts I pen are born from my own personal opinions and musings, presented before you in earnest, free of shadowed veils or hidden alliances. If you find truth and heart within my words, consider supporting me with a coffee. And believe me, as a father of two young spirits, this potion is indeed the elixir of my vigilance and creativity.

Beyond sharing my journey and insights, I craft customized solutions in the realm of tech to empower and fortify your own domains.

🔍 Discover my services

Further Readings


No comment on this post yet... Initiate the dialogue - be the first to illuminate this page with your thoughts!

Leave a Comment

Please preserve the rules of respect and avoid any shadow that might fall upon the realm. Keep your discourse pure and use simple characters. Your scroll shall contain no more than a thousand characters.

Only the worthy may share their wisdom beneath the sacred tree of insight. To prove yourself a true hero and not a shadowy automation, solve this puzzle: