You are currently on IBM Systems Media’s archival website. Click here to view our new website.



Changes to the PCI DSS Self-Assessment Questionnaire help businesses more easily comply with data-security standards.

Changes to the PCI DSS Self-Assessment Questionnaire help businesses more easily comply with data-security standards.
Illustration by Julia Breckenreid

Does your organization process credit or debit cards in a point-of-sale (POS) environment? Do you have an e-commerce site where you take credit-card numbers over the Internet? Do you know how the Payment Card Industry Data Security Standard (PCI DSS) has changed, whether you’re in compliance and what steps to take if you’re not? Do you even know about the PCI DSS?

In this environment of identity theft and credit-card fraud, these are critical questions. Headlines in the business section scream about security breaches that released thousands of credit-card numbers to unauthorized users. As a result, the companies are, and will continue to be, involved in lawsuits and will be fined huge amounts of money. Additionally, they lose the confidence of their customers, who will likely take their business elsewhere.

This article will identify PCI DSS, show the different PCI compliance levels and describe the new requirements. It’s a topic you may want to brush up on if you’re open to the risk of handling credit-card numbers.

What is PCI?

The payment card industry is a loose term used to identify organizations that issue, accept or process credit and debit cards. The Payment Card Industry Security Standards Council was created by five major players in the payment-card industry: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

The council’s purpose is to develop and enhance three PCI standards:

  • DSS
  • Personal Identification Number Entry Devices
  • Payment Application DSS

It’s the PCI DSS we’re mainly interested in for our purposes. The PCI DSS is a broad strategy covering many issues involved with processing payment cards, such as card-number encryption, physical security, network security, logging and monitoring, and system-security patch levels and policies.

Tools and methodologies have been developed as part of the PCI DSS. Why are these important? Adherence to these methodologies and use of these tools show any interested party (e.g., a bank or an acquirer) that an organization is making a best or good-faith effort to secure payment-card information.

But does adherence to the DSS (the current version of which is 1.1, released in September 2006) mean your system won’t be hacked by people intent on stealing credit-card and other personal information? No, it doesn’t—adherence will certainly help, but it can’t eliminate every possibility. Think of PCI DSS compliance in two ways—as a best practice and as a measure of insurance. As you’ll see in the next section, complying with the PCI DSS basic requirements provides a strong measure of security and would be valuable even if your organization didn’t accept payment cards; they’re just good security practices. I believe the insurance idea is twofold: your organization takes the best steps it can to limit exposure, and you assure your bank and acquirer that security is important to your organization. The latter could be very important if your security is breached and your information is exposed.

Michael Ryan is a technical editor with IBM Systems Magazine. Michael can be reached at



2019 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.


A Guide to Passing an Audit


A Look at COBIT Security

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
IBMi News Sign Up Today! Past News Letters