Now let’s look at these standards in more detail.
- PCI DSS covers security of the environments that store, process, or transmit account data. The scope of PCI DSS covers environments receiving account data from payment applications and other sources – acquirers, for example.
- PCI PA-DSS covers secure payment applications to support PCI DSS compliance. The scope of PA-DSS addresses when a payment application receives account data from cardholder-interface devices such as point-of-sale terminals or other devices and begins the payment transaction.
- PCI P2PE (Point-to-Point Encryption) covers secure encryption, decryption, ad key management for point-to-point technologies used for a specific implementation.
- PCI PTS – POI standard covers device tamper detection, cryptographic processes, and other mechanisms used to protect the PIN and other sensitive data, such as cryptographic keys. The PTS set of requirements addresses how cardholder PINs are protected at cardholder-interface devices such as point-of-sale terminals, as well as hardware security modules that are used payment processing and cardholder authentication applications and processes.
- PCI PTS – PIN standard covers secure management, processing and transmission of personal identification number (PIN) data during online and offline payment card transaction processing.
- PCI PTS – HSM standard covers the design of hardware security modules and for securely protecting those devices until they are deployed.
- Finally, the Card Production standards establish minimum security levels for card vendors involved in payment card manufacturing, card personalization, pre-personalization, chip embedding, data-preparation, and fulfillment.
It should be noted that each of these PCI standards are independent from each other and have their own programs and requirements. Adherence to one standard does not imply or affect an organization’s compliance to any other standard.