Sign in Subscribe

DSS (Data Security Standard)

Last updated on 

Introduction:

The Data Security Standard (DSS) is a security standard for organizations that handle cardholder data for the major credit card companies. The standard was created to ensure that all merchants and service providers who store, process, or transmit credit card information maintain a secure environment. This standard was developed by the Payment Card Industry Security Standards Council (PCI SSC), which is a global forum for the ongoing development, enhancement, storage, dissemination, and implementation of security standards for account data protection.

The PCI SSC was formed in 2006 by the major credit card companies, including Visa, Mastercard, American Express, Discover, and JCB International. The council is responsible for developing and maintaining the Data Security Standard (DSS) to protect against the theft of credit card information.

What is the Data Security Standard (DSS)?

The Data Security Standard (DSS) is a set of security requirements designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. The DSS is a set of twelve requirements that are grouped into six categories:

  1. Build and Maintain a Secure Network and Systems
  2. Protect Cardholder Data
  3. Maintain a Vulnerability Management Program
  4. Implement Strong Access Control Measures
  5. Regularly Monitor and Test Networks
  6. Maintain an Information Security Policy

The DSS applies to all entities that store, process, or transmit cardholder data, regardless of the size or volume of transactions. The requirements apply to all system components that are included in or connected to the cardholder data environment, which includes all people, processes, and technology.

The 12 Requirements of the DSS:

Build and Maintain a Secure Network and Systems

The first requirement of the DSS is to build and maintain a secure network and systems. This requirement includes the following sub-requirements:

a. Install and maintain a firewall configuration to protect cardholder data b. Do not use vendor-supplied defaults for system passwords and other security parameters c. Protect stored cardholder data d. Encrypt transmission of cardholder data across open, public networks

Protect Cardholder Data

The second requirement of the DSS is to protect cardholder data. This requirement includes the following sub-requirements:

a. Protect stored cardholder data b. Encrypt transmission of cardholder data across open, public networks c. Mask PAN (Primary Account Number) when displayed d. Restrict access to cardholder data by business need-to-know e. Assign a unique ID to each person with computer access f. Track and monitor all access to network resources and cardholder data

Maintain a Vulnerability Management Program

The third requirement of the DSS is to maintain a vulnerability management program. This requirement includes the following sub-requirements:

a. Protect all systems against malware and regularly update antivirus software or programs b. Develop and maintain secure systems and applications c. Implement strong access control measures d. Regularly test security systems and processes

Implement Strong Access Control Measures

The fourth requirement of the DSS is to implement strong access control measures. This requirement includes the following sub-requirements:

a. Restrict access to cardholder data by business need-to-know b. Assign a unique ID to each person with computer access c. Restrict physical access to cardholder data d. Track and monitor all access to network resources and cardholder data

Regularly Monitor and Test Networks

The fifth requirement of the DSS is to regularly monitor and test networks. This requirement includes the following sub-requirements:

a. Regularly test security systems and processes b. Regularly monitor and analyze audit logs c. Maintain an information security policy

Maintain an Information Security Policy

The sixth The sixth and final requirement of the DSS is to maintain an information security policy. This requirement includes the following sub-requirements:

a. Establish, publish, maintain, and disseminate a security policy b. Assign a management-level individual to oversee security c. Develop, document, and implement security awareness training for all personnel d. Maintain and follow security policies and procedures

Compliance with the DSS:

Compliance with the DSS is mandatory for any organization that accepts credit card payments. Failure to comply with the DSS can result in significant fines, loss of reputation, and legal liability. The level of compliance required depends on the organization's size and the volume of credit card transactions it processes. Larger organizations may be required to undergo annual on-site audits by a PCI SSC-approved Qualified Security Assessor (QSA).

Achieving compliance with the DSS requires a comprehensive approach to security that includes people, processes, and technology. Organizations must establish policies and procedures that ensure the secure storage, processing, and transmission of cardholder data. They must also implement technical controls that protect against unauthorized access to cardholder data, such as firewalls, encryption, and access controls.

Benefits of Compliance with the DSS:

Compliance with the DSS offers several benefits to organizations that accept credit card payments. These benefits include:

  1. Protection against data breaches: Compliance with the DSS reduces the risk of data breaches by ensuring that cardholder data is stored, processed, and transmitted securely.
  2. Protection against financial penalties: Compliance with the DSS protects organizations from financial penalties that can result from non-compliance.
  3. Protection against legal liability: Compliance with the DSS can protect organizations from legal liability that can result from a data breach.
  4. Improved reputation: Compliance with the DSS can improve an organization's reputation by demonstrating a commitment to security.

Conclusion:

The Data Security Standard (DSS) is a set of security requirements designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. Compliance with the DSS is mandatory for any organization that accepts credit card payments. The DSS includes 12 requirements that are grouped into six categories, including building and maintaining a secure network and systems, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy. Achieving compliance with the DSS requires a comprehensive approach to security that includes people, processes, and technology. Compliance with the DSS offers several benefits to organizations, including protection against data breaches, financial penalties, legal liability, and improved reputation.