Menu

Introduction to PCI DSS (Payment Card Industry Data Security Standard)   Introduction to PCI DSS (Payment Card Industry Data Security Standard)   

Data Protection Act 1998   Data Protection Act 1998   

Secure HTML Practices   Secure HTML Practices   

SQL Injection Attack - Introduction and Mitigation Steps   SQL Injection Attack - Introduction and Mitigation Steps   

Cross Site Scripting (XSS) – Introduction and Mitigation Steps   Cross Site Scripting (XSS) – Introduction and Mitigation Steps   

Audit and Testing Tools for Web Application Security   Audit and Testing Tools for Web Application Security   

Threat Modeling for Web Application Security - Practice Guide   Threat Modeling for Web Application Security - Practice Guide   

Introduction to PCI DSS (Payment Card Industry Data Security Standard)

Published on: 8/17/2014
Topic: Cyber Security Compliance Standards
PCI DSS (Payment Card Industry Data Security Standard) was defined by the Payment Card Industry Security Standards Council to increase controls around cardholder’s data and to reduce credit card frauds. The compliance can be verified by an external Qualified Security Assessor (QSA) or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volume of transactions.

Overview

Assessment Model

There are three stages involved: Assess, Remediate and Report.

Stage 1 – Assess

During this stage you asses complete IT infrastructure for any possible risks or vulnerabilities that may pose threat to Cardholder’s data and payment transactions. The assessment includes all Hardware & Software products used including the involvement of 3rd party vendors or applications. All aspects are evaluated i.e. retrieval & transmission of data, data processing and data storage on temporarily or permanent basis.
You may scan your network & server infrastructure using software tools that analyze & spot widely known vulnerabilities in compliance with PCI requirements. PCI has provided list of more than 130 vendors who has approved software for vulnerability scanning of internet facing environments.
Please note that it’s your liability to ensure PCI compliance by the third parties involved in any stage of process.

Stage 2 – Remediate

During this stage you classify & prioritize all the vulnerabilities & risks as identified in assessment phase and work towards fixing of all the risks & vulnerabilities. To fix issues you may apply patches, replace or upgrade the software or infrastructure components and modify defective processes.
You shall repeat the vulnerability scanning process to ensure mitigation of gaps.

Stage 3 – Reporting

PCI compliance demand regular submission of reports that you may submit with your bank and payment brands that are doing business with you. All merchants & processors shall submits a quarterly scan report that is built by a PCI SSC approved ASV (Approved Scanning Vendor). Organizations with large transaction volumes must get an annual onsite assessment conducted by a PCI SSC approved QSA (Qualified Security Assessor) and submit the findings to each Acquirer. Organizations having small transaction volumes may submit self-attested report on annual basis using the Self-Assessment Questionnaire.

PCI DSS Goals & Requirements

There are 6 high level goals or control objectives and each goal has one or more requirement(s) specified to satisfy the goal. The Goals and respective requirements are as following:

Goals/Control Objectives PCI DSS Requirement(s)
Build and Maintain a Secure Network 1. Install and maintain a Firewall configuration to protect cardholder data
2. Do not use vendor supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security

Please note that although PCI Council has defined these requirements but in addition each major payment card brand also has its own program for compliance and validation levels.

Generic Guidelines

PCI DSS provides detailed recommendations for each requirement. Below are few generic rules that should be considered while defining detailed security procedures:

  • Merchants and any other service providers involved with payment card processing must never store sensitive authentication data after authorization. PCI DSS completely prohibit storage of Magnetic Strip data, CAV2/CVC2/CVV2/CID numbers and PIN/PIN Block.
  • Try to keep payment processing related environment isolated with internal network as much as possible and setup DMZ accordingly
  • Continuously review the configurations of all systems on periodic basis and maintain control through all systems. Remember that your security is as good as the weakest link in chain.
  • Strongly follow least privilege policy and define security protocols to implement “defense in depth”
  • Implement security by zero trust policy and ensure you protect information from internal employees in as religious manner as from external factors. Most of data leakage incident are caused by internal employees and not by external forces.
  • Secure data not only during customer life cycle but also in other forms including the usage of data for internal reporting, backup tapes and archival systems. Least information you expose to and store in your environment, easy to ensure data safety.

FAQ

For complete reference please refer to PCI DSS website FAQ section.

How to decide if your business need compliance with PCI DSS especially if my business doesn’t accept credit card payments through its website, is there any point for me to do a scan?

A general guideline is that if you maintain a public facing IP address that is associated with the network in which credit card processing occurs then then you must have a scan performed.

Does Data Security Operating Policy defined by Credit/Payment Card brands are different than PCI Data Security Standard?
PCI Council is not completely isolated from the Credit Card brands. In fact American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc are the founding members of the Council.
You may consider the PCI Data Security Standard as foundation for the Data Security Operating Policy, allowing merchants to comply with one set of data security standards for all payment brands and the Data Security Operating Policy defined by each payment card brand defines its own merchant levels, validation requirements and deadlines.
More information can be found at these links:
American Express
Discover Financial Services
JCB International
MasterCard Worldwide
Visa Inc
Visa Europe

Glossary Terms used in Article

(QSA) Qualified Security Assessor: The term QSA may be implied to identify an individual who is qualified to perform PCI compliance auditing and consulting. The QSA should meet specific information security education requirements by taking the appropriate training from the PCI Security Standards Council.
(ASV) Approved Scanning Vendor: ASVs are organizations that validate adherence to certain DSS requirements by performing vulnerability scans of Internet facing environments of merchants and service providers. The Council has approved more than 130 ASVs.
Acquirer: Also referred to as acquiring bank or acquiring financial institution. Entity that initiates and maintains relationships with merchants for the acceptance of payment cards.
Payment Application Data Security Standard (PA-DSS)
The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties.


[Show All Sections]