Earning and maintaining the trust of your customers is critical to the success of your business. Demonstrating a commitment to protecting customer data is key to developing this trust. With compliance regulations evolving and security incidents steadily increasing, it’s more important than ever to remain vigilant about your data access controls, especially when it comes to credit card information.
What is PCI DSS?
The term ‘PCI’ refers to the Payment Card Industry, which consists of payment card issuers Visa, American Express, MasterCard, Discover, and JCB. Together, they form the Security Standards Council (SSC), the organization responsible for creating the global standards for the protection of payment data. The technical and operational framework behind it is known as the PCI Data Security Standard (DSS).
To whom does PCI DSS apply?
PCI applies to both merchants and service providers that store, process, or transmit cardholder data (via one of the five card issuers above). ‘Cardholder data’ refers to the unique 15-19 digit Primary Account Number (PAN) found on a card. It also includes cardholder data plus any of the following: cardholder name, expiration date, and/or service code. Simply put, if your company interacts with cardholder data, PCI DSS probably applies to you.
In addition, if you process a high number of credit card transactions (generally, over 6 million annually), you are required to complete an annual external PCI assessment. Those with smaller volumes of transactions can complete a Self-Assessment Questionnaire (SAQ). In both reporting methods, all applicable PCI DSS requirements must be met in order to validate PCI compliance.
What are the PCI DSS requirements?
The PCI DSS consists of six high-level areas of focus:
- Build and Maintain a Secure Network and Systems
- Protect Account Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an information security policy
In March 2022, PCI DSS v4.0 was released. It consists of the same high-level areas of focus, with four primary goals: continuing to meet the security needs of the payment industry, promoting security as a continuous process, providing flexibility for different methodologies (of payment card security), and improving methodologies for validating compliance with the standard.
However, PCI DSS v3.2.1, the previous version, will remain in effect until March 2024 to allow organizations to become familiar with v4.0 and transition to the required changes. Version 4.0 goes into effect in March 2025.
To learn more about PCI compliance at Zendesk and how to implement your own compliance see the following articles:
- ‘Is Zendesk PCI Compliant?
- ‘What Do I Need to Do to Comply with PCI’
- Visit the Trust Center to request our Attestation of Compliance (AoC).
Glossary of Terms
Acquirer – Also referred to as “merchant bank,” “acquiring bank,” or “acquiring financial institution.” Entity that initiates and maintains relationships with merchants for the acceptance of payment cards. The acquirer is typically responsible for monitoring PCI compliance with their merchants’ account.
AoC – Acronym for Attestation of Compliance. This is the audit report that shows if and how an organization is PCI compliant.
Cardholder data – At a minimum, cardholder data consists of the full Primary Account Number (PAN). Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.
CDE – Cardholder Data Environment.The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data.
DLP – Data Loss Prevention. Data loss prevention software is designed to detect potential data breach or data loss events.
Encryption – Process of converting information into an unintelligible form except to holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process (the inverse of encryption) against unauthorized disclosure.
Luhn check – Also known as the “Mod 10” algorithm, it is a simple checksum formula used to validate a variety of identification numbers, such as credit card numbers. Most credit cards use the algorithm as a simple method of distinguishing valid numbers from mistyped or otherwise incorrect numbers.
Masking – A method of concealing a segment of data when displayed or printed. Masking is used when there is no business requirement to view the entire PAN. Masking relates to protection of PAN when displayed or printed.
PCI Compliant Ticket Field – This field is designed to accept credit card numbers from agents, where it will automatically redact the credit card number to the last 4 digits prior to the data being submitted to the Zendesk platform. This field is required to be enabled to benefit from Zendesk’s AoC.
PCI-SSC – Acronym for Payment Card Industry Security Standards Council. This council was established in 2006 by the five credit card brands (Visa, MasterCard, American Express, Discover, JCB).
PCI-DSS – The Payment Card Industry Data Security Standard. The PCI SSC created a unified standard by which all merchants and service providers would be subject.
PAN – Primary Account Number. Also referred to as “account number.” Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder.
Service provider – Business entity (not a payment card issuer) that is directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS, and other services as well as hosting providers and other entities.
QSA – Qualified Security Assessor. The PCI SSC has certified firms to perform PCI assessments and to assist with PCI validation; the designation is a QSA firm, or similarly an individual at a QSA firm can be certified as an individual QSA.
Redact – The process of removing sensitive information, such as PAN, where it is not needed.
SAQ – Self Assessment Questionnaire. An entity validating PCI compliance will either undergo an external assessment by a QSA, or complete an SAQ and submit it to the card brands or their merchant bank.
Tokenize – The process of breaking a stream of meaningful text, such as credit card number, into data elements called tokens that represent the actual data, but alone are meaningless. Tokenization is a method to remove credit card data from systems or databases, thereby reducing the scope of the CDE.
Truncation – Method of rendering the full PAN unreadable by permanently removing a segment of PAN data. Truncation relates to protection of PAN when stored in files, databases, etc.