PCI DSS stands for Payment Card Industry Data Security Standard, and is a worldwide security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The PCI security standards are technical and operational requirements that were created to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats. The standards apply to all organizations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions. A company processing, storing, or transmitting cardholder data must be PCI DSS compliant. The PCI SSC ("Council") is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer risk losing their ability to process credit card payments and being audited and/or fined [1]. All in-scope companies must validate their compliance annually. This validation can be conducted by Qualified Security Assessors - i.e. companies that have completed a three-step certification process[2] by the PCI SSC which recognizes them as being qualified to assess compliance to the PCI DSS standard. However, smaller companies have the option to use a Self-Assessment Questionnaire (SAQ)[3]. Whether this questionnaire needs to be validated by a QSA depends on the requirements of the card brands in that merchant's region.
The PCI Security Standards also include:
- PIN Entry Device (PED) Security Requirements
PCI PED applies to manufacturers who specify and implement device characteristics and management for personal identification number (PIN) entry terminals used for payment card financial transactions. Merchants should use only PIN entry devices that are tested and approved by the PCI SSC. Authorized devices are listed at: List of PCI Approved PIN Entry Devices
- Payment Application Data Security Standard (PA-DSS)
The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC. Validated applications are listed at: List of PCI Validated Payment Applications
Contents |
Requirements
The current version of the standard (1.2)[4] specifies 12 requirements for compliance, organized into 6 logically related groups, which are called "control objectives."
| Control Objectives | PCI DSS Requirements |
|---|---|
| Build and Maintain a Secure Network | 1. Install and maintain a firewall configuration to protect cardholder data |
| 2. Do not use vendor-supplied defaults for system passwords and other security parameters | |
| Protect Cardholder Data | 3. Protect stored cardholder data |
| 4. Encrypt transmission of cardholder data across open, public networks | |
| Maintain a Vulnerability Management Program | 5. Use and regularly update anti-virus software |
| 6. Develop and maintain secure systems and applications | |
| Implement Strong Access Control Measures | 7. Restrict access to cardholder data by business need-to-know |
| 8. Assign a unique ID to each person with computer access | |
| 9. Restrict physical access to cardholder data | |
| Regularly Monitor and Test Networks | 10. Track and monitor all access to network resources and cardholder data |
| 11. Regularly test security systems and processes | |
| Maintain an Information Security Policy | 12. Maintain a policy that addresses information security |
History
PCI DSS originally began as five different programs: Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program. Each company’s intentions were roughly similar: to create an additional level of protection for customers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. The Payment Card Industry Security Standards Council (PCI SSC) was formed, and on 15 December 2004, these companies aligned their individual policies and released the Payment Card Industry Data Security Standard (PCI DSS).
In September 2006, the PCI standard was updated to version 1.1 to provide clarification and minor revisions to version 1.0.
PCI is one of multiple data security standards that have emerged over the past decade; BS7799, ISF Standards, Basel II, Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act of 2002,
The next version 1.2 was released on October 1, 2008.[5]. Version 1.1 will be "sunset" on December 31, 2008 [6]. v1.2 did not change requirements, only enhanced clarity, improved flexibility, and addressed evolving risks/threats.
Updates and Supplemental
The PCI SSC has released several supplemental pieces of information to clarify various requirements. These documents include the following
- Information Supplement: Requirement 11.3 Penetration Testing[7]
- Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified[8]
- Navigating the PCI SSC - Understanding the Intent of the Requirements [9]
Compliance and Wireless LANs
The PCI DSS recognizes wireless LANs as public networks and automatically assumes they are exposed to vulnerabilities and threats. PCI DSS also provides two specific security guidelines to prevent breaches coming in from wireless networks used in any environments containing credit card data. They are:
- Firewall segmentation between wireless networks and the point of sale networks or any network that comes in contact with credit card information.
- Use of wireless analyzers (a.k.a. Wireless Intrusion Detection System) to detect any unauthorized wireless devices and attacks
References
- ^ In Data Leaks, Culprits Often Are Mom, Pop - WSJ.com
- ^ Become a Qualified Security Assessor (QSA)
- ^ PCI SSC New Self-Assessment Questionnaire (SAQ) Summary
- ^ PCI DSS - PCI Security Standards Council
- ^ PCI SECURITY STANDARDS COUNCIL RELEASES VERSION 1.2 OF PCI DATA SECURITY STANDARD
- ^ Supporting Documents PCI DSS
- ^ Information Supplement: Requirement 11.3 Penetration Testing
- ^ Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
- ^ Navigating the PCI SSC - Understanding the Intent of the Requirements
Updates on PCI DSS v1.2
External links
No comments have been added.
