Moving towards PCI DSS 3.0 compliance: A case study of credit card data security audit in an online payment company

Abstract

E-commerce industry in Indonesia has grown rapidly since 2012. This development is also in line with the number of transactions that uses credit cards. Unfortunately, this phenomenon is followed by credit card frauds as well. Therefore, there is an urge for a standard to be used as a main reference in protecting the security of information. Visa and MasterCard have issued an international standard to ensure the security of credit card data, namely, PCI DSS. It emphasizes the importance of protecting cardholder information in one's daily business processes. On December 2013, the latest version of this standard was released, and brought about difficulties, even to those organizations that are already compliant to previous versions of the same standard. The aim of this research is to be able to identify the changes brought about by the latest PCI DSS, namely, version 3.0. Furthermore, this research is intended to implement that very standard to measure an organization's compliance level. This research uses a case study approach in Indonesia largest company in online payment services. The results of this research are the summation of 182 new controls that are simplified for use by organizations that have complied with PCI DSS 2.0 and are preparing for PCI DSS 3.0. Additionally, we found that Company X, the object of our case study, is compliant towards 77.43% of PCI DSS 3.0 requirements. Payment card industry data security standard is considered at its earlier stages. We believe that this research is one of the first in observing the changes brought about by PCI DSS 3.0 as well as in implementing it to measure an organization's compliance level.