Text size Increase Font-SizeDecrease Font-SizeReset Font-Size

Securing Card Account Data
is Everyone's Responsibility

Every entity around the world involved in payment card transactions – including hardware/device manufacturers and software developers, as well as banks, service providers and merchants – must continually focus on safeguarding payment card data. In addition to the requirements laid out in the PCI Data Security Standard (PCI DSS), the Council has created programs specifically aimed at developers and device manufacturers, available via the links below.

These programs include:

Resources for Assessing PCI DSS Compliance

  • Information Supplements
    Documents related to the security framework of the Payment Card Industry Data Security Standard (PCI DSS)

The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold or distributed to third-parties. Payment applications validated per PA-DSS, and when implemented in a PCI DSS-compliant environment, will minimize the potential for security breaches leading to compromises of full magnetic stripe data, card validation codes and values (CAV2, CID, CVC2, CVV2), PINs and PIN blocks, and the damaging fraud resulting from these breaches. Internally developed applications that are not sold or distributed to third-parties are not subject to PCI PA-DSS but are subject to PCI DSS.
PCI DSS is the standard for merchants and service providers to protect cardholder data. The PA-DSS and PTS device security requirements support the overall implementation of PCI DSS by allowing merchants to choose from Council certified payment applications and PTS devices to further cardholder data security. PA-DSS and PTS are not merchant initiatives. Rather, they are geared toward the application providers and PTS device manufacturers who must submit their applications and devices for testing against the standards.
PCI DSS requirement 3.3 requires that the PAN be masked when it is displayed (for example, on screens, logs, reports, receipts), unless the viewing party has a specific need to see the full card number. Business needs may exist to validate if the appropriate numbers were entered properly prior to completing the transaction (for example, for customer service representatives). To compensate for not masking the PAN on the screen for these types of transactions, controls such as Time To Live (TTL) or webpage "timeouts" should be deployed so that the screen does not display the card numbers indefinitely. Additionally, as should all websites that transmit cardholder data, the website which displays the PAN should be SSL enabled to ensure the data is secured as it is entered and validated.
Merchants that store payment account data should contact the acquiring financial institutions with whom they have merchant agreements to determine whether they must validate compliance and the specific requirements for compliance validation. Service providers should contact the individual payment brands for further information.

The PCI Security Standards Council (the "Council") provides a variety of tools, questionnaires, guidance, FAQs, training resources and other materials and information to assist organizations seeking to achieve compliance with its standards (the "Standards"). Third party products and services are also available, but the Council does not endorse or recommend any such third party products or services, and advises all organizations seeking to achieve compliance to become familiar with the Standards and related requirements before purchasing third party products or services. Ultimately, all applicable requirements must be met in order to achieve compliance, regardless of whether or what third party products or services are used.