PCI DSS

PCI DSS: A Pocket Guide

ALAN CALDER
NICKI CARTER
Copyright Date: 2011
Edition: 2
Published by: IT Governance Publishing
Pages: 45
https://www.jstor.org/stable/j.ctt5hh6b2
  • Cite this Item
  • Book Info
    PCI DSS
    Book Description:

    Target dates for compliance with the PCI DSS itself have all long since passed. Many organisations – particularly those that fall below the top tier of payment card transaction volumes – are not yet compliant - and can no longer afford to put off the work required to fall into line with this global standard. This handy pocket guide will provide you with all the information you will need when considering how to approach the PCI DSS. Key features of this pocket guide: Overview of Payment Card Industry Data Security Standard V2.0, Who needs to be PCI compliant, Consequences of a breach, How do you comply with the standard, PCI self-assessment questionnaire (SAQ) – including the new SAQ C-VT, Procedures and Qualifications, Overview of the Payment Application Data Security Standard

    eISBN: 978-1-84928-173-7
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 1-4)
  2. FOREWORD
    (pp. 5-6)

    Target dates for compliance with the PCI DSS itself have all long since passed. Many organisations – particularly those that fall below the top tier of payment card transaction volumes – – are not yet compliant.

    There are perhaps three reasons for this.

    The first is that PCI DSS has no legal status: it is not a law and does not have the force of law. Enforcement can only be carried out by contractual means, in a competitive payment card market place.

    The second is that enforcement is driven by the card payment brands, through the banks that have the...

  3. ABOUT THE AUTHORS
    (pp. 7-8)
  4. ACKNOWLEDGEMENTS
    (pp. 9-9)
  5. Table of Contents
    (pp. 10-10)
  6. CHAPTER 1: WHAT IS THE PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)?
    (pp. 11-13)

    The Payment Card Industry Data Security Standard (PCI DSS) was developed by the founding payment brands of the PCI Security Standards Council (PCI SSC, atwww.pcisecuritystandards.org), including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa.

    PCI DSS consists of a standardised, industry-wide set of requirements and processes for security management, policies, procedures, network architecture, software design and critical protective measures.

    The PCI DSS must be met by all organisations (merchants and service providers) that transmit, process or store payment card data. The PCI DSS (sometimes referred to as a compliance standard) is not a law. It is...

  7. CHAPTER 2: WHAT IS THE SCOPE OF THE PCI DSS?
    (pp. 14-15)

    The PCI DSS is applicable if you store, process or transmit cardholder data. The Cardholder Data Environment (CDE) is any network that possesses cardholder data or sensitive authentication data. It does not apply to your organisation if Primary Account Numbers (PANs) – the 16-digit credit card numbers – are not stored, processed or transmitted. The PCI DSS applies to any type of media on which card data may be held – this includes hard disk drives, floppy disks, magnetic tape and back-up media, but also embraces printed/handwritten credit and debit card receipts where the full card number is printed. These...

  8. CHAPTER 3: COMPLIANCE AND COMPLIANCE PROGRAMMES
    (pp. 16-18)

    Payment brands enforce the compliance process through contractual means, including higher processing fees, fines and financial penalties.

    ‘The PCI Security Standards Council encourages all businesses that store payment account data to comply with the PCI DSS to help lower their brand and financial risks associated with account payment data compromises. The PCI Security Standards Council does not manage compliance programmes and does not impose any consequences for non-compliance. Individual payment brands, however, may have their own compliance initiatives, including financial or operational consequences to certain businesses that are not compliant.

    This all means that each payment provider will take whatever...

  9. CHAPTER 4: CONSEQUENCES OF A BREACH
    (pp. 19-19)

    The consequences of a data security breach are likely to be proportionate to the seriousness of the breach and the extent to which the merchant is able to demonstrate prior compliance with PCI DSS. For level one merchants, the combinations of fines, litigation and brand damage are significant; for non-level one merchants, the consequences of a breach are potentially as serious and might include:

    There will be a significant cost for a forensic investigation.

    The merchant automatically becomes a level one merchant (i.e. yearly on-site audits).

    There may be a charge by issuer(s) to acquirer(s) for card re-issue, which may...

  10. CHAPTER 5: HOW DO YOU COMPLY WITH THE REQUIREMENTS OF THE STANDARD?
    (pp. 20-25)

    All organisations must comply. There are two options for demonstrating compliance: an annual on-site security audit and a quarterly network scan or completion of a Self-Assessment Questionnaire, in some cases together with an annual network scan. Which option applies to any one organisation is determined by transaction volume and whether or not there has previously been a security breach.

    Two groups of organisations must demonstrate compliance with PCI DSS: merchants and service providers.

    Compliance requirements are dependent on a merchant’s activity level. There are four levels, based on the annual number of credit/debit card transactions. While payment brands determine the...

  11. CHAPTER 6: MAINTAINING COMPLIANCE
    (pp. 26-26)

    Once an organisation has achieved compliance with the PCI DSS, it must maintain its level of compliance. This, of course, means making oneself aware of any changes to the PCI DSS itself (the latest version was released in October 2010), as well as maintaining the PCI DSS security environment.

    The PCI Council makes the point this way: Technically, it is true that, if you’ve completed a Self-Assessment Questionnaire (SAQ), you’re compliant – ‘for that particular moment in time when the Self-Assessment Questionnaire and associated vulnerability scan (if applicable) is completed. After that moment, only a post-breach forensic analysis can prove...

  12. CHAPTER 7: PCI DSS – THE STANDARD
    (pp. 27-28)

    The PCI DSS has 12 requirements, organised into six sections. Please note that this pocket guide is no substitute for obtaining your own copy of the standard, which is freely downloadable fromwww.pcisecuritystandards.org/security_standards/documents.php.

    PCI DSS version 1.0 was originally published in January 2005, with subsequent updates to version 1.1 in September 2006 and version 1.2 in October 2008. The current version is PCI DSS v2.0 which was released on 28 October 2010.

    With the release of PCI DSS v2.0, the PCI Security Standards Council has introduced a new three-year lifecycle for standards development. This ensures a gradual and phased introduction...

  13. CHAPTER 8: ASPECTS OF PCI DSS COMPLIANCE
    (pp. 29-32)

    Create and maintain firewall configuration standards.

    Consider placement of DMZ and firewalls.

    Restrict inbound/outbound traffic.

    Develop network diagrams.

    Change all vendor default passwords.

    Develop and implement configuration tandards for all system components.

    Remove unnecessary functionality.

    Data retention and disposal policy.

    Do not store sensitive authentication data post authorisation, including security code (CVV2 etc.), magnetic stripe (track 1/track 2) or the Personal Identification number (PIN) or encrypted PIN block.

    Mask the PAN when displayed.

    Render the PAN unreadable anywhere it is stored.

    Document key management processes and procedures for keys used for the encryption of cardholder data.

    Applies to transmission of...

  14. CHAPTER 9: THE PCI SELF-ASSESSMENT QUESTIONNAIRE (SAQ)
    (pp. 33-34)

    The PCI Data Security Standard Self-Assessment Questionnaire is a validation tool developed by the PCI Council to assist merchants and service providers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS).

    All merchants and their service providers are required to comply with the PCI Data Security Standard in its entirety and, if they are eligible for self-assessment, to attest that they comply by using the standard Attestation of Compliance document. In October 2010, the PCI Security Standards Council introduced a new Self-Assessment Questionnaire (and the Attestation of Compliance) that is in line with version 2.0...

  15. CHAPTER 10: PROCEDURES AND QUALIFICATIONS
    (pp. 35-37)

    The PCI Council mandates the procedures that must be followed in conducting audits and in carrying out scanning procedures. It also lays down specific requirements for qualification as a QSA or an ASV.

    (www.pcisecuritystandards.org/documents/qsa_validation_requirements.pdf)

    To be recognised as a QSA by the PCI SSC, QSAs must meet or exceed the requirements described in the above document and must also execute the QSA Agreement with the PCI Council below. Clients can provide feedback on the effectiveness of the QSA.

    (www.pcisecuritystandards.org/documents/qsa_validation_requirements.pdf)

    (www.pcisecuritystandards.org/documents/qsa_feedback_form_-_client.pdf)

    (www.pcisecuritystandards.org/approved_companies_providers/qualified_security_assessors.php)

    This list, which is updated on a regular basis, contains contact details for all Qualified Security Assessors, together with...

  16. CHAPTER 11: PCI DSS AND ISO/IEC 27001
    (pp. 38-39)

    ISO/IEC 27001 is the international information security management standard that more and more organisations are using to ensure that their information security management meets the data protection and compliance requirements of a wide variety of legislation, including the EU Data Protection Acts and Privacy Directives, HIPAA, GLBA and others.

    While the PCI standard was not written to map specifically to ISO27001 or to any other existing framework, it sits clearly within the ISO27001 framework, and organisations that have implemented an ISO27001 ISMS should be able, with minor additional work, to also demonstrate their conformance with the PCI standard. The individual...

  17. CHAPTER 12: PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)
    (pp. 40-41)

    PA-DSS is the PCI Council managed programme that focuses on payment applications, such as shopping carts, payment gateways, and so on. This programme was previously run by Visa Inc. and was known as Payment Application Best Practices (PABP). Increasingly, criminals are targeting vulnerabilities in payment applications to steal payment card data, and some software may be storing sensitive card data on a user’s system unknowingly. PA-DSS is therefore meant to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripes, CVV2 or PIN data, and to ensure their payment applications...

  18. CHAPTER 13: PIN TRANSACTION SECURITY (PTS))
    (pp. 42-42)

    The PCI Council also has compliance requirements for pin entry (pin pad and point-of-sale) devices that are used in conjunction with payment cards in environments attended by a cashier, merchant or sales clerk. There is a testing and approval guide and a list of approved devices, together with detailed vendor guidance on how to gain approval. All this information is available atwww.pcisecuritystandards.org/security_standards/documents.php?association=PTS.

    The PIN Transaction Security programme includes unattended payment terminals (UPTs) and hardware security modules (HSMs), so that these devices can be rigorously tested to ensure they secure cardholder data in a payment process. UPTs are unattended payment...

  19. ITG RESOURCES
    (pp. 43-45)