The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. It was drawn up by a consortium of major card payment players like Visa, MasterCard, American Express, Discover Financial Services, and JCB, who are also its board members.
The PCI Data Security Standard specifies twelve requirements for compliance, organized into six logically related groups called “control objectives”. The six groups are:
PCI DSS engages TLS to cover the network security aspect. The previous version of PCI DSS (3.0) worked on SSL, and after its deprecation the updated version – PCI DSS 3.1 – runs on TLS. PCI DSS enforces data encryption and endpoint authentication by following the tenets of PKI. It advocates the use of TLS/SSL certificates to make sure the vendor/payment gateway that does the information processing is genuine.
PCI DSS v3.1 was rolled out in April 2015 with a final deadline of June 30, 2018 to migrate from SSL and older TLS to the newer versions. PCI DSS v3.2, published in April 2016, has the same deadline. The older versions of TLS (including TLS 1.0) left the network vulnerable to bugs like Heartbleed and POODLE, resulting in the breach of sensitive information through Man-in-the-Middle attacks. PCI DSS v3.2.1, enacted in May 2018, calls for the deprecation of all TLS versions except TLS 1.2.