PCI DSS

「PCI DSS」

This glossary explains various keywords that will help you understand the mindset necessary for data utilization and successful DX.
This time, we will explain PCI DSS, which supports the security of IT related to credit cards, and through that we will think about safe and secure IT systems.

What is PCI DSS?

"PCI DSS" is an abbreviation for "Payment Card Industry Data Security Standard."
Because credit cards handle "money," they are prone to damage from security breaches, and so related IT systems must be operated carefully with an emphasis on safety and security.To address this, major card companies established the security standards that IT systems that handle credit cards must comply with, known as PCI DSS.

What should be protected for the safety and security of credit cards?

As you know, credit cards are widely used as a deferred payment method for paying for things like bills. They are widely used because they offer various conveniences compared to cash transactions, but in order to create an environment where credit card transactions can be carried out safely, the "development of safe and secure IT" is a prerequisite.

In a cash transaction, the physical object itself is exchanged, so the transaction can be completed relatively simply at that place and time (although there are concerns about whether the bill is counterfeit, etc.). When paying with a credit card, the transaction is not completed at that place and time; you must contact the card company to confirm that the payment will be made with that card number and for that amount, confirm that the payment can be made, and have the card company record the payment details. Unlike a cash transaction, which can be completed on the spot, the transaction must go through communication with the card company's IT system, which is located in a remote location.

If a credit card number is stolen or leaked during this process, fraudulent transactions will occur and the system will no longer function properly as a payment method. To prevent this, the entire process of payment transactions must be protected. The entire system must be kept safe and secure, including not only the location where the card payment is made, but also the server where the card payment is made, the communication route between them, and all the people involved in the development and operation of the IT system.

Fraudulent use has become serious in the Internet age

Credit cards have been in widespread use around the world since before the birth of the Internet. While fraudulent use has been an issue since the beginning, it has become especially serious since the advent of the Internet. Before the Internet, card numbers were exchanged between card payment terminals in stores and "closed IT" such as dedicated lines. When using the Internet as a payment method, not only the e-commerce site itself but also the card payment system and communication routes are often on the Internet, making large-scale card number leaks and fraudulent use more likely to occur.

While there are such problems, online payments are also an area where credit cards are expected to play an active role, and it is an important market for the future of credit cards themselves. Just because you can't use a card like in the real world doesn't mean you can pay with cash, and if you had to transfer money to your account and confirm the transfer each time, that alone would take until the next day.

How can we reduce fraudulent use? If the IT systems and communication routes involved in card payments are all secure, accidents are less likely to occur. It's not that there is a general problem with credit card-related IT, but rather that improperly designed IT systems cause accidents, and this needs to be prevented. However, it is realistically difficult for card companies, let alone general users, to individually check whether each IT system is designed securely.

Therefore, card companies will create "common security standards" for IT systems that handle card numbers over the Internet, and will judge whether an IT system has been developed and operated in accordance with those standards.

PCI DSS introduced by the five major card companies

There is not just one credit card company. Initially, each card company began to establish its own "security standards," but from the perspective of those developing and operating IT systems, it was inefficient to have to comply with each company's standards separately, and this could have hindered the spread of card payments over the Internet.

Therefore, the world's five major credit card companies (American Express, Discover, JCB, MasterCard, and VISA) have jointly established common standards. To this end, they have established an organization called the "PCI SSC (Payment Card Industry Security Standards Council)" to compile the common standards that IT systems and organizations involved in credit card payments must adhere to as the "PCI DSS (Payment Card Industry Data Security Standard)."

This clarifies what organizations and people involved in the "storage, processing, and transmission" of card member information such as card numbers must comply with when making credit card payments.

It specifies not only the IT system itself, but also the operational structure (whether there is a system in place to ensure appropriate responses are made to vulnerabilities in IT products used in the IT system), the security of communication routes, ensuring that data is encrypted and protected before storage, ensuring that data that should not be stored is not stored, and that those who can access data are limited and access records are kept, and other things that should be protected by the organizations and people involved.

PCI DSS is also updated regularly to keep up with the times. PCI DSS 1.0 was established in 2004, and as of the time of writing, PCI DSS 4.0, published on March 31, 2022, is the latest version.

How can we utilize PCI DSS?

It will become a standard for distinguishing safe and secure payment services

When using a card payment system online, this can be a criterion for selecting a service or business partner. Checking PCI DSS compliance can help you determine whether or not there is a high probability of an incident occurring.

Required when developing and operating a payment system in-house

If you develop and operate your own e-commerce site, or if you develop your own e-commerce package software and want to add card payment functionality to your payment system, you will need to obtain PCI DSS certification. If your company's products are not fully compliant, there is a risk that they will not be able to be used in IT systems related to card payment systems.

It serves as a benchmark for the safety and security of IT systems in general.

PCI DSS was formulated with credit card information in mind and is not intended for other uses or standards (for example, it is not a standard from the perspective of protecting personal information), but compliance with PCI DSS can be used to determine whether an IT system is being operated in a manner that allows for the handling of card numbers.

Alternatively, it can be used as a reference when considering what needs to be done to operate your company's IT systems securely.

However, complying with PCI DSS not only incurs costs, but also requires a wide range of activities related to the IT system, such as the development of new functions, to be carried out under PCI DSS restrictions, which may result in a decrease in costs and business speed due to the large number of procedures that arise.You also need to carefully consider how your company will get involved.

How to achieve PCI DSS compliance and card payment functionality

What should you do if your company's systems are required to comply? While complying with PCI DSS is a noble undertaking, it is not an easy task, and the costs and effort involved are not negligible.

Use PCI DSS-compliant products and services

When developing a system in-house, it is rare to develop everything from scratch. Some middleware, tools, and cloud services used in development are PCI DSS compliant.

By utilizing PCI DSS-compliant cloud services or products that take compliance into consideration, it may become easier to use data including card numbers, and it may be possible to reduce the effort and scope of in-house handling.

⇒ HULFT Multi Connect Service | Saison Technology

This service provides file transfer infrastructure for various protocols over the Internet that complies with PCI DSS. Secure file transfer are possible simply by connecting from your own system, without the need to develop your own transfer infrastructure. We also handle operations and audits that comply with PCI DSS.

It can be used as a means to change communication routes that use dedicated lines such as INS lines to via the Internet without having to handle the process yourself. It also supports connections using a variety of protocols and lines, including HULFT, Zengin TCP/IP wide area IP network, SFTP, AnserDATAPORT connections, and one-stop support for closed networks.

Use external card payment functions and "connect" from your own system

As digital adoption continues to grow in every company, some organizations may be considering developing their own e-commerce site and in-house services. Naturally, they will need card payment functionality, but may be at a loss as to what to do when they learn that PCI DSS compliance will be costly and time-consuming.

In such cases, there are ways to avoid having to comply with PCI DSS in-house. This can be solved by using a cloud service that provides an e-commerce site itself that also has card payment functionality, or by developing the e-commerce site in-house but using an external service for the card payment functionality and simply calling that service from your own system, thereby avoiding having to comply in-house.

The key to utilizing IT in the cloud era is to "not build it in-house." By making good use of various clouds and your company's existing systems, and effectively "connecting" and combining them, you can efficiently and quickly realize the IT systems your company needs.

Furthermore, in recent years, various companies have been working on a range of initiatives in what is known as Fintech. Payment methods other than card payments are becoming more common, and new payment methods, such as cryptocurrency payments, are beginning to appear. Making good use of various external services rather than developing them in-house makes it easier to adapt to these changes in the world of payments.

⇒Data data integration platform DataSpider Servista | Saison Technology

Make good use of the "connecting" concept of EAI and ETL. Even if your company does not comply with PCI DSS, you can create a system with the same functionality by effectively "connecting" with external services. With "DataSpider," you can connect a wide variety of systems, data, and clouds using just a GUI. With the iPaaS "HULFT Square," you can also use the "connecting" function as a cloud service without the need for in-house operation.

Related keywords (for further understanding)

• EAI
  • It is a concept of "connecting" systems by data integration, and is a means of freely connecting various data and systems. It is a concept that has been used since long before the cloud era as a way to effectively utilize IT.
• ETL
  • In the recent trend of actively working on data utilization, the majority of the work is not the data analysis itself, but rather the collection and preprocessing of data scattered around, from on-premise to cloud. This is a means to carry out such processing efficiently.
• iPaaS
  • A cloud service that "connects" various clouds with external systems and data simply by operating on a GUI.
• SaaS
  • When people generally think of the "cloud," they are referring to an initiative to provide software usage as a service.

Are you interested in "iPaaS" and "connecting" technologies?

Try out our products that allow you to freely connect various data and systems, from on-premise IT systems to cloud services, and make successful use of IT.

The ultimate "connecting" tool: data integration software "DataSpider" and data integration platform "HULFT Square"

"DataSpider," data integration tool developed and sold by our company, is a "connecting" tool with a long history of success. "HULFT Square," a data integration platform, is a "connecting" cloud service developed using DataSpider technology.

Another feature is that development can be done using only the GUI (no code) without writing code like in regular programming, so business staff who have a good understanding of their company's business can take the initiative to use it.

Try outDataSpider/ HULFT Square 's "connecting" technology:

There are many simple collaboration tools on the market, but this tool can be used with just a GUI, is easy enough for even non-programmers to use, and has "high development productivity" and "full-fledged performance that can serve as the foundation for business (professional use)."

It can smoothly solve the problem of "connecting disparate systems and data" that is hindering successful IT utilization. We offer a free trial version and online seminars where you can try it out for free, so we hope you will give it a try.

• Free trial seminar here

Why not try a PoC to see if HULFT Squarecan transform your business?

Why not try verifying how "connecting" can be utilized in your business, the feasibility of solving problems using data integration, and the benefits that can be obtained?

• I want to automate data integration with SaaS, but I want to confirm the feasibility of doing so.
• We want to move forward with data utilization, but we have issues with system integration
• I want to consider data integration platform to achieve DX.

• PoC Program | HULFT Square

Glossary Column List

Alphanumeric characters and symbols

• The Cliff of 2025
• 5G
• AI
• API [Detailed version]
• API Infrastructure and API Management [Detailed Version]
• BCP
• BI
• BPR
• CCPA (California Consumer Privacy Act) [Detailed Version]
• Chain-of-Thought Prompting [Detailed Version]
• ChatGPT (Chat Generative Pre-trained Transformer) [Detailed version]
• CRM
• CX
• D2C
• DBaaS
• DevOps
• DWH [Detailed version]
• DX certified
• DX stocks
• DX Report
• EAI [Detailed version]
• EDI
• EDINET [Detailed version]
• ERP
• ETL [Detailed version]
• Excel Linkage [Detailed version]
• Few-shot prompting / Few-shot learning [detailed version]
• FIPS140 [Detailed version]
• FTP
• GDPR (EU General Data Protection Regulation) [Detailed version]
• Generated Knowledge Prompting (Detailed Version)
• GIGA School Initiative
• GUI
• IaaS [Detailed version]
• IoT
• iPaaS [Detailed version]
• MaaS
• MDM
• MFT (Managed File Transfer) [Detailed version]
• MJ+ (standard administrative characters) [Detailed version]
• NFT
• NoSQL [Detailed version]
• OCR
• PaaS [Detailed version]
• PCI DSS [Detailed version]
• PoC
• REST API (Representational State Transfer API) [Detailed version]
• RFID
• RPA
• SaaS (Software as a Service) [Detailed version]
• SaaS Integration [Detailed Version]
• SDGs
• Self-translate prompting / "Think in English, then answer in Japanese" [Detailed version]
• SFA
• SOC (System and Organization Controls) [Detailed version]
• Society 5.0
• STEM education
• The Flipped Interaction Pattern (Please ask if you have any questions) [Detailed version]
• UI
• UX
• VUCA
• Web3
• XaaS (SaaS, PaaS, IaaS, etc.) [Detailed version]
• XML
• ZStandard (lossless data compression algorithm) [detailed version]

A row

• Avatar
• Crypto assets
• Ethereum
• Elastic (elasticity/stretchability) [detailed version]
• Autoscale
• Open data (detailed version)
• On-premise [Detailed version]

Ka row

• Carbon Neutral
• Virtualization
• Government Cloud [Detailed Version]
• availability
• completeness
• Machine Learning [Detailed Version]
• mission-critical system, core system
• confidentiality
• Cashless payment
• Symmetric key cryptography / DES / AES (Advanced Encryption Standard) [Detailed version]
• Business automation
• Cloud
• Cloud Migration
• Cloud Native [Detailed version]
• Cloud First
• Cloud Collaboration [Detailed Version]
• Retrieval Augmented Generation (RAG) [Detailed version]
• In-Context Learning (ICL) [Detailed version]
• Container [Detailed version]
• Container Orchestration [Detailed Version]

Sa row

• Serverless (FaaS) [Detailed version]
• Siloization [Detailed version]
• Subscription
• Supply Chain Management
• Singularity
• Single Sign-On (SSO) [Detailed version]
• Scalable (scale up/scale down) [Detailed version]
• Scale out
• Scale in
• Smart City
• Smart Factory
• Small start (detailed version)
• Generative AI (Detailed version)
• Self-service BI (IT self-service) [Detailed version]
• Loose coupling [detailed version]

Ta row

• Large Language Model (LLM) [Detailed version]
• Deep Learning
• Data Migration
• Data Catalog
• Data Utilization
• Data Governance
• Data Management
• Data Scientist
• Data-driven
• Data analysis
• Database
• Data Mart
• Data Mining
• Data Modeling
• Data Lineage
• Data Lake [Detailed version]
• data integration / data integration platform [Detailed Version]
• Digitization
• Digitalization
• Digital Twin
• Digital Disruption
• Digital Transformation
• Deadlock [Detailed version]
• Telework
• Transfer learning (detailed version)
• Electronic Payment
• Electronic Signature [Detailed Version]

Na row

• Neural Networks
• No-code development (detailed version)

Ha row

• Hybrid Cloud
• Batch Processing
• Unstructured Data
• Big Data
• File Linkage [Detailed version]
• Fine Tuning [Detailed Version]
• Private Cloud
• Blockchain
• Prompt template [detailed version]
• Vectorization/Embedding [Detailed version]
• Vector database (detailed version)

Ma row

• Marketplace
• migration
• Microservices (Detailed Version)
• Managed Services [Detailed Version]
• Multi-tenant
• Middleware
• Metadata
• Metaverse

Ya row

Ra row

• Leapfrogging (detailed version)
• quantum computer
• Route Optimization Solution
• Legacy System/Legacy Integration [Detailed Version]
• Low-code development (detailed version)
• Role-Play Prompting [Detailed Version]

Wa row

• Workflow

»Data Utilization Column List

Recommended Content

Related Content