Payment Card Industry Data Security Standard (PCI DSS) – Background, Overview and Compliance Requirements
Background
The PCI DSS is defined by the Payment Card Industry Security Standards Council. It was created after a series of card payment related frauds. The aim of the PCI DSS is to increase controls around cardholder data to reduce credit card fraud.
PCI DSS applies to all entities involves in payment card processing - including merchants, processors, acquirers, issuers and services providers as well as other entities that store, process or transmit cardholder data.
The Payment Card Industry (PCI) Data Security Standards (DSS) are now required for all merchants, including:
- Retail (brick-and-mortar)
- Mail/telephone order
- e-Commerce
All major credit card associations such as Visa, MasterCard, American Express, Discover, Diners Club and JCB all endorse, and require the unified PCI Data Security Standards.
Overview of PCI DSS Requirements
PCI DSS 2.0 was released on 26 October 2010. All organizations handling payment card data have to comply with it by 1 January 2011, and from 1 January 2012 all assessments must be under version 2.0 of the standard.
PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks.
The table below gives a brief overview of the PCI DSS’ 12 requirements:
| Build and Maintain a Secure Network | 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters. |
| Protect Cardholder Data | 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks |
| Maintain a Vulnerability Management Program | 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications |
| Implement Strong Access Control Measures | 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data |
| Regularly Monitor and Test Networks | 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes |
| Maintain an Information Security Policy | 12. Maintain a policy that addresses information security for all personnel |
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
A firewall is a device that examines all network traffic and blocks those transmissions that do not meet the specified security criteria.
All systems associated with cardholder data must be protected from unauthorized access from un-trusted networks.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Vendor default passwords and other vendor default settings to compromise systems are well known to hacker communities, making it easy for systems to be compromised. Therefore, these passwords should be changed immediately.
Requirement 3: Protect stored cardholder data
Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals.
Requirement 5: Use and regularly update anti-virus software or programs
Malicious software, commonly referred to as “malware”—including viruses, worms, and Trojans—enters the network during many business approved activities including employee e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities.
Therefore, anti-virus software must be used on all systems.
Requirement 6: Develop and maintain secure systems and applications
All critical systems must have the most recently released, appropriate software patches to protect against exploitation and compromise of cardholder data by malicious individuals and malicious software.
Requirement 7: Restrict access to cardholder data by business need to know
To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities.
Requirement 8: Assign a unique ID to each person with computer access
Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for his or her actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.
Requirement 9: Restrict physical access to cardholder data
Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies. Therefore, physical access should be appropriately restricted.
Requirement 10: Track and monitor all access to network resources and cardholder data
Tracking and monitoring user access to network resources and cardholder data is vital to determine the cause in case of security breaches/ compromises.
The presence of activity logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong.
Requirement 11: Regularly test security systems and processes.
Testing is critical to protect card payment data because vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.
Requirement 12: Maintain a policy that addresses information security for all personnel
Why is a security policy necessary?
- A strong security policy sets the security tone for the whole entity and informs personnel what is expected of them.
- All personnel should be aware of the sensitivity of data and their responsibilities for protecting it.
PCI DSS Compliance
The following are the completion steps to achieve PCI DSS compliance:
1. Assess the environment for compliance with the PCI DSS.
2. Complete the Self-Assessment Questionnaire (SAQ D) according to the instructions in the Self-Assessment Questionnaire Instructions and Guidelines.
3. Complete a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV), and obtain evidence of a passing scan from the ASV.
4. Complete the Attestation of Compliance in its entirety.
5. Submit the SAQ, evidence of a passing scan, and the Attestation of Compliance, along with any other requested documentation, to the acquirer (for merchants) or to the payment brand or other requester (for service providers).
Both Visa and MasterCard impose fines for non-compliance.
Validation of Compliance
Validation of compliance is done annually - by an external Qualified Security Assessor (QSA) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
Additional Resources:
- Read the requirements and security assessment procedures of PCI DSS version 2.0 in full here.
- Want to learn more about complying with PCI DSS? Then attend the following ComplianceOnline webinars:
Compliance Trainings
By - Christopher W. Olmsted
On Demand Access Anytime
By - Madhavi Diwanji
On Demand Access Anytime
Compliance Standards
