Earning and maintaining the trust of your customers is critical to the success of your business. Demonstrating a commitment to protecting customer data is key to developing this trust. With compliance regulations evolving and security incidents steadily increasing, it’s more important than ever to remain vigilant about your data access controls, especially when it comes to credit card information.
What is PCI DSS?
The term ‘PCI’ refers to the Payment Card Industry, which consists of payment card issuers such as Visa, American Express, MasterCard, Discover, and JCB. These companies established the Payment Card Industry Security Standards Council (PCI SSC) in 2006 to develop and manage security standards for the protection of payment data. The technical and operational framework behind it is known as the PCI Data Security Standard (DSS).
To whom does PCI DSS apply?
PCI DSS applies to all entities that store, process, or transmit cardholder data including merchants and service providers. ‘Cardholder data’ refers to the unique 15-19 digit Primary Account Number (PAN) found on a card. It also includes cardholder data plus any of the following: cardholder name, expiration date, and/or service code. Simply put, if your company interacts with cardholder data, PCI DSS probably applies to you.
In addition, if you process a high number of credit card transactions (generally, over 6 million annually), you are required to complete an annual external PCI DSS assessment. Those with smaller volumes of transactions can complete a Self-Assessment Questionnaire (SAQ). In both reporting methods, all applicable PCI DSS requirements must be met in order to validate PCI DSS compliance.
What are the PCI DSS requirements?
The PCI DSS consists of six high-level areas of focus:
Build and Maintain a Secure Network and Systems
Protect Account Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an information security policy
In March 2022, PCI DSS v4.0 was released introducing updates to address emerging threats and technologies in the payment industry. To facilitate a smooth transition, the previous version, PCI DSS v3.2.1, remained active until March 31, 2024. As of April 1, 2024, PCI DSS v4.0 is the sole active standard. Additionally, certain new requirements introduced in v4.0 are designated as “future-dated” and are considered best practices until March 31, 2025, after which they become mandatory.
To learn more about PCI DSS compliance at Zendesk see the following articles:
- Adding a credit card identification field (last four digits)
- Automatically redacting credit card numbers from tickets
Visit the Zendesk Trust Center to learn more about our Compliance Certifications and Memberships .
Glossary of Terms
Acquirer – Also referred to as “merchant bank,” “acquiring bank,” or “acquiring financial institution.” Entity that initiates and maintains relationships with merchants for the acceptance of payment cards. The acquirer is typically responsible for monitoring PCI compliance with their merchants’ account.
AoC – Acronym for Attestation of Compliance. This is the audit report that shows if and how an organization is PCI DSS compliant.
Cardholder data – At a minimum, cardholder data consists of the full Primary Account Number (PAN). Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.
CDE – Cardholder Data Environment. The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data.
DLP – Data Loss Prevention. Data loss prevention software is designed to detect potential data breach or data loss events.
Encryption – Process of converting information into an unintelligible form except to holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process (the inverse of encryption) against unauthorized disclosure.
Luhn check – Also known as the “Mod 10” algorithm, it is a simple checksum formula used to validate a variety of identification numbers, such as credit card numbers. Most credit cards use the algorithm as a simple method of distinguishing valid numbers from mistyped or otherwise incorrect numbers.
Masking – A method of concealing a segment of data when displayed or printed. Masking is used when there is no business requirement to view the entire PAN. Masking relates to protection of PAN when displayed or printed.
PCI DSS Credit Card Field – This field is designed to accept credit card numbers from agents, where it will automatically redact the credit card number to the last 4 digits prior to the data being submitted to the Zendesk platform. This field is required to be enabled to benefit from Zendesk’s AoC.
PCI SSC – Acronym for Payment Card Industry Security Standards Council. This council was established in 2006 by the five credit card brands (Visa, MasterCard, American Express, Discover, JCB).
PCI DSS – The Payment Card Industry Data Security Standard. The PCI SSC created a unified standard by which all merchants and service providers would be subject.
PAN – Primary Account Number. Also referred to as “account number.” Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder.
Service provider – Business entity (not a payment card issuer) that is directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS, and other services as well as hosting providers and other entities.
QSA – Qualified Security Assessor. The PCI SSC has certified firms to perform PCI assessments and to assist with PCI DSS validation; the designation is a QSA firm, or similarly an individual at a QSA firm can be certified as an individual QSA.
Redact – The process of removing sensitive information, such as PAN, where it is not needed.
SAQ – Self Assessment Questionnaire. An entity validating PCI DSS compliance will either undergo an external assessment by a QSA, or complete an SAQ and submit it to the card brands or their merchant bank.
Tokenize – The process of breaking a stream of meaningful text, such as credit card number, into data elements called tokens that represent the actual data, but alone are meaningless. Tokenization is a method to remove credit card data from systems or databases, thereby reducing the scope of the CDE.
Truncation – Method of rendering the full PAN unreadable by permanently removing a segment of PAN data. Truncation relates to protection of PAN when stored in files, databases, etc.
