PCI DSS

PCI DSS: A Pocket Guide - 3rd edition

ALAN CALDER
GERAINT WILLIAMS
Copyright Date: 2013
Published by: IT Governance Publishing
Pages: 58
https://www.jstor.org/stable/j.ctt7zsxr6
  • Cite this Item
  • Book Info
    PCI DSS
    Book Description:

    Get started with PCI DSSProtect your customers' card data

    All businesses that accept payment cards are prey for hackers and criminal gangs trying to steal payment card details and commit identity fraud. The PCI DSS (Payment Card Industry Data Security Standard) exists to ensure that businesses process credit and debit card orders in a way that effectively protects cardholder data. Failing to comply with the standard can have serious consequences for your ability to process card payments.

    An ideal introduction and a quick reference to PCI DSS, including version 3.0

    Co-written by a PCI QSA (Qualified Security Assessor) and updated to also cover PCI DSS version 3.0, this handy pocket guide provides all the information you need to consider as you approach the PCI DSS. It is also an ideal training resource for anyone in your organisation who deals with payment card processing.

    Coverage includes:

    an overview of Payment Card Industry Data Security Standard V3.0the consequences of a breachhow to comply with the standarda PCI self-assessment questionnaire (SAQ)procedures and qualificationsan overview of the Payment Application Data Security StandardBuy this pocket guide and get to grips with PCI DSS, including version 3.0

    This title is part ofThe ITGP Compliance Series, a suite of essential guides to regulatory and legal compliance.Designed to help organisations in their efforts to address issues such as PCI DSS, anti-bribery policy management and data protection, this series is indispensable for anyone seeking to align their policies and procedures with laws and regulations. The guides also provide a quick, cost-effective way to raise awareness of key issues among staff, partners and external customers.

    eISBN: 978-1-84928-555-1
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 1-6)
  2. FOREWORD
    (pp. 7-9)

    Target dates for compliance with the PCI DSS have all long since passed, and the Standard is now on its third version. Many organisations around the world – particularly those that fall below the top tier of payment card transaction volumes – are not yet compliant.

    There are perhaps three reasons for this.

    The first is that, outside of a few US States, PCI DSS has no legal status: it is not a law and does not have the force of law. Enforcement can only be carried out by contractual means, in a competitive payment card marketplace. The UK’s Information Commissioner, however,...

  3. ABOUT THE AUTHORS
    (pp. 10-11)
  4. ACKNOWLEDGEMENTS
    (pp. 12-12)
  5. Table of Contents
    (pp. 13-13)
  6. CHAPTER 1: WHAT IS THE PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)?
    (pp. 14-16)

    The Payment Card Industry Data Security Standard (PCI DSS) was developed by the five founding payment brands of the PCI Security Standards Council (PCI SSC, atwww. pcisecuritystandards.org): American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa.

    PCI DSS consists of a standardised, industry-wide set of requirements and processes for security management, policies, procedures, network architecture, software design and critical protective measures.

    The PCI DSS must be met by all organisations (merchants and service providers) that transmit, process or store payment card data, or directly or indirectly affect the security of cardholder data. If an organisation uses a...

  7. CHAPTER 2: WHAT IS THE SCOPE OF THE PCI DSS?
    (pp. 17-18)

    The PCI DSS is applicable if you store, process or transmit cardholder data, or if you are responsible for third parties that store, process or transmit cardholder data. The Cardholder Data Environment (CDE) is any network that possesses cardholder data or sensitive authentication data. It doesnotapply to your organisation if Primary Account Numbers (PANs) – the 16-digit credit card numbers – are not stored, processed or transmitted. The PCI DSS applies to any type of media on which card data may be held – this includes not only hard disk drives, floppy disks, magnetic tape and back-up media, but also embraces...

  8. CHAPTER 3: COMPLIANCE AND COMPLIANCE PROGRAMMES
    (pp. 19-21)

    Payment brands enforce the compliance process through contractual means, including higher processing fees, fines and financial penalties for non-compliance. These penalties can be applied monthly during the remediation process, and additional fines can be levied for breaches.

    ‘The PCI Security Standards Council encourages all businesses that store payment account data to comply with the PCI DSS to help lower their brand and financial risks associated with account payment data compromises. The PCI Security Standards Council does not manage compliance programmes and does not impose any consequences for non-compliance. Individual payment brands, however, may have their own compliance initiatives, including financial...

  9. CHAPTER 4: CONSEQUENCES OF A BREACH
    (pp. 22-22)

    The consequences of a data security breach are likely to be proportionate to the seriousness of the breach and the extent to which the merchant is able to demonstrate prior compliance with PCI DSS. For level one merchants, the combinations of fines, litigation and brand damage are significant; for non-level one merchants, the consequences of a breach are potentially as serious and include:

    A significant cost for a forensic investigation.

    The merchant automatically becoming a level one merchant (i.e. yearly on-site audits).

    A possible charge by issuer(s) to acquirer(s) for card re-issue, which may be passed on to the merchant....

  10. CHAPTER 5: HOW DO YOU COMPLY WITH THE REQUIREMENTS OF THE STANDARD?
    (pp. 23-31)

    All organisations must comply. There are two options for demonstrating compliance: an annual on-site security audit and the submission of four passing quarterly network scans by an ASV, or completion of a Self-Assessment Questionnaire, in some cases together with a submission of four passing quarterly network scans. Which option applies to any one organisation is determined by transaction volume and whether or not there has previously been a security breach.

    The major global payment brands require that every entity – including financial institutions, merchants and service providers – that stores, processes, or transmits payment card data, in every channel – including catalogue and...

  11. CHAPTER 6: MAINTAINING COMPLIANCE
    (pp. 32-32)

    Once an organisation has achieved compliance with the PCI DSS, it must maintain its level of compliance. This, of course, means making oneself aware of any changes to the PCI DSS itself (the latest version was released in November 2013), as well as maintaining the PCI DSS security environment.

    The PCI Council makes the point this way: Technically, it is true that, if you’ve completed a Self-Assessment Questionnaire (SAQ), you’re compliant – ‘for that particular moment in time when the Self-Assessment Questionnaire and associated vulnerability scan (if applicable) is completed. After that moment, only a post-breach forensic analysis can prove PCI...

  12. CHAPTER 7: PCI DSS – THE STANDARD
    (pp. 33-35)

    The PCI DSS has 12 requirements, organised into six sections. Please note that this pocket guide is no substitute for obtaining your own copy of the Standard, which is freely downloadable fromwww.pcisecuritystandards.org/security_standards/documents.php.

    PCI DSS version 1.0 was originally published in January 2005, with subsequent updates to version 1.1 in September 2006 and version 1.2 in October 2008. PCI DSS v2.0 was released on 28 October 2010, and most recently v3.0 was published on 7 November 2013.

    With the release of PCI DSS v2.0, the PCI Security Standards Council introduced a new three-year lifecycle for standards development. This ensures a...

  13. CHAPTER 8: ASPECTS OF PCI DSS COMPLIANCE
    (pp. 36-45)

    Establish and implement firewall and router configuration standards.

    Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.

    Prohibit direct public access between the Internet and any system component in the cardholder data environment.

    Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network.

    Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.

    Maintain current network and data flow diagrams

    Always change vendor-supplied defaults and remove or disable unnecessary default...

  14. CHAPTER 9: THE PCI SELF-ASSESSMENT QUESTIONNAIRE (SAQ)
    (pp. 46-47)

    The PCI DSS Self-Assessment Questionnaire is a validation tool developed by the PCI Council to assist merchants and service providers in self-evaluating their compliance with the PCI DSS.

    All merchants and their service providers are required to comply with the PCI DSS in its entirety and, if they are eligible for self-assessment, to attest that they comply by using the standard Attestation of Compliance document. A new Self-Assessment Questionnaire and Attestation of Compliance will be released in early 2014 to meet the requirements of version 3.0 of the PCI DSS.

    In the last version of the questionnaire, there were six...

  15. CHAPTER 10: PROCEDURES AND QUALIFICATIONS
    (pp. 48-50)

    The PCI Council mandates the procedures that must be followed in conducting audits and in carrying out scanning procedures. It also lays down specific requirements for qualification as a QSA or ASV.

    www.pcisecuritystandards.org/documents/qsa validation requirements.pdf

    To be recognised as a QSA by the PCI SSC, QSAs must meet or exceed the requirements described in the above document and must also execute the QSA Agreement in Appendix A with the PCI Council. Clients can provide feedback on the effectiveness of the QSA.

    QSA feedback is completed online.

    Recognition as an ASV by the PCI Council requires the ASV, its employees, and its scanning...

  16. CHAPTER 11: PCI DSS AND ISO/IEC 27001
    (pp. 51-51)

    ISO/IEC 27001 is the international information security management Standard that more and more organisations are using to ensure that their information security management meets the data protection and compliance requirements of a wide variety of legislation, including the EU Data Protection Acts and Privacy Directives, HIPAA, GLBA and others.

    While the PCI Standard was not written to map specifically to ISO27001 or to any other existing framework, it sits clearly within the ISO27001 framework, and organisations that have implemented an ISO27001 ISMS should be able, with minor additional work, to also demonstrate their conformance with the PCI Standard. The individual...

  17. CHAPTER 12: PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)
    (pp. 52-53)

    PA-DSS is the PCI Council-managed programme that focuses on payment applications, such as shopping carts, payment gateways, and so on. This programme was previously run by Visa Inc. and was known as Payment Application Best Practices (PABP). Increasingly, criminals are targeting vulnerabilities in payment applications to steal payment card data, and some users may unknowingly have sensitive card data stored on their system by software. PA-DSS is therefore meant to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripes, CVV2 or PIN data, and to ensure their payment applications...

  18. CHAPTER 13: PIN TRANSACTION SECURITY (PTS)
    (pp. 54-55)

    The PCI Council also has compliance requirements for PIN entry (PIN pad and point-of-sale) devices that are used in conjunction with payment cards in both environments attended by a cashier, merchant or sales clerk, or unattended such as garage forecourts. There is a testing and approval guide,¹ together with detailed vendor guidance on how to gain approval. All this information is available atwww. pcisecuritystandards.org/security standards/documents.php? association=PTS

    The PIN Security Requirements contains a complete set of requirements for the secure management, processing and transmission of personal identification number (PIN) data during online and offline payment card...

  19. ITG RESOURCES
    (pp. 56-59)