There are three stages involved: Assess, Remediate and Report.
Stage 1 – Assess
During this stage you asses complete IT infrastructure for any possible risks or vulnerabilities that may pose threat to Cardholder’s data and payment transactions. The assessment includes all Hardware & Software products used including the involvement of 3rd party vendors or applications. All aspects are evaluated i.e. retrieval & transmission of data, data processing and data storage on temporarily or permanent basis.
You may scan your network & server infrastructure using software tools that analyze & spot widely known vulnerabilities in compliance with PCI requirements. PCI has provided list of more than 130 vendors who has approved software for vulnerability scanning of internet facing environments.
Please note that it’s your liability to ensure PCI compliance by the third parties involved in any stage of process.
Stage 2 – Remediate
During this stage you classify & prioritize all the vulnerabilities & risks as identified in assessment phase and work towards fixing of all the risks & vulnerabilities. To fix issues you may apply patches, replace or upgrade the software or infrastructure components and modify defective processes.
You shall repeat the vulnerability scanning process to ensure mitigation of gaps.
Stage 3 – Reporting
PCI compliance demand regular submission of reports that you may submit with your bank and payment brands that are doing business with you. All merchants & processors shall submits a quarterly scan report that is built by a PCI SSC approved ASV (Approved Scanning Vendor). Organizations with large transaction volumes must get an annual onsite assessment conducted by a PCI SSC approved QSA (Qualified Security Assessor) and submit the findings to each Acquirer. Organizations having small transaction volumes may submit self-attested report on annual basis using the Self-Assessment Questionnaire.
PCI DSS Goals & Requirements
There are 6 high level goals or control objectives and each goal has one or more requirement(s) specified to satisfy the goal. The Goals and respective requirements are as following:
||PCI DSS Requirement(s)
|Build and Maintain a Secure Network
||1. Install and maintain a Firewall configuration to protect cardholder data
|2. Do not use vendor supplied defaults for system passwords and other security parameters
|Protect Cardholder Data
||3. Protect stored cardholder data
|4. Encrypt transmission of cardholder data across open, public networks
|Maintain a Vulnerability Management Program
||5. Use and regularly update anti-virus software on all systems commonly affected by malware
|6. Develop and maintain secure systems and applications
|Implement Strong Access Control Measures
||7. Restrict access to cardholder data by business need-to-know
|8. Assign a unique ID to each person with computer access
|9. Restrict physical access to cardholder data
|Regularly Monitor and Test Networks
||10. Track and monitor all access to network resources and cardholder data
|11. Regularly test security systems and processes
|Maintain an Information Security Policy
||12. Maintain a policy that addresses information security
Please note that although PCI Council has defined these requirements but in addition each major payment card brand also has its own program for compliance and validation levels.
PCI DSS provides detailed recommendations for each requirement. Below are few generic rules that should be considered while defining detailed security procedures:
- Merchants and any other service providers involved with payment card processing must never store sensitive authentication data after authorization. PCI DSS completely prohibit storage of Magnetic Strip data, CAV2/CVC2/CVV2/CID numbers and PIN/PIN Block.
- Try to keep payment processing related environment isolated with internal network as much as possible and setup DMZ accordingly
- Continuously review the configurations of all systems on periodic basis and maintain control through all systems. Remember that your security is as good as the weakest link in chain.
- Strongly follow least privilege policy and define security protocols to implement “defense in depth”
- Implement security by zero trust policy and ensure you protect information from internal employees in as religious manner as from external factors. Most of data leakage incident are caused by internal employees and not by external forces.
- Secure data not only during customer life cycle but also in other forms including the usage of data for internal reporting, backup tapes and archival systems. Least information you expose to and store in your environment, easy to ensure data safety.
For complete reference please refer to PCI DSS website FAQ section.
How to decide if your business need compliance with PCI DSS especially if my business doesn’t accept credit card payments through its website, is there any point for me to do a scan?
A general guideline is that if you maintain a public facing IP address that is associated with the network in which credit card processing occurs then then you must have a scan performed.
Does Data Security Operating Policy defined by Credit/Payment Card brands are different than PCI Data Security Standard?
PCI Council is not completely isolated from the Credit Card brands. In fact American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc are the founding members of the Council.
You may consider the PCI Data Security Standard as foundation for the Data Security Operating Policy, allowing merchants to comply with one set of data security standards for all payment brands and the Data Security Operating Policy defined by each payment card brand defines its own merchant levels, validation requirements and deadlines.
More information can be found at these links:
Discover Financial Services
Glossary Terms used in Article
(QSA) Qualified Security Assessor: The term QSA may be implied to identify an individual who is qualified to perform PCI compliance auditing and consulting. The QSA should meet specific information security education requirements by taking the appropriate training from the PCI Security Standards Council.
(ASV) Approved Scanning Vendor: ASVs are organizations that validate adherence to certain DSS requirements by performing vulnerability scans of Internet facing environments of merchants and service providers. The Council has approved more than 130 ASVs.
Acquirer: Also referred to as acquiring bank or acquiring financial institution. Entity that initiates and maintains relationships with merchants for the acceptance of payment cards.
Payment Application Data Security Standard (PA-DSS)
The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties.