PCI-DSS Compliance

PCI -DSS  Compliance 

What is PCI?

The PCI (Payment Card Industry) is a sector within the financial industry that is responsible for all electronic payments. As purchases are executed through debit, credit, ATM, POS, and prepaid systems, sensitive financial data is constantly transmitted to different parts of the world.  Given the vast financial values involved, strict security measures must be in place in order to protect all users engaging in non-cash exchanges of payment.

 

What is PCI-SSC ?

To create these standards, the major financial corporations developed the PCI-SSC (Payment Card Industry Security Standards Council) which stands as an independent entity from the top financial firms in the US and Japan.   The council attempts to protect cardholders by setting strict security standards for merchants and for vendors of payment-processing solutions.

The PCI Security Standards Council  is a global forum for the ongoing development, enhancement, storage, dissemination, and implementation of security standards for account data protection. The Standards Council was established by the major credit card associations (Visa, MasterCard, American Express, Discover, JCB) as a separate organization to define appropriate practices that merchants and service providers should follow to protect cardholder data.    It is this council of companies that created the Payment Card Industry (PCI) Data Security Standards (DSS). 

 

What is PCI DSS ?

Credit and debit cards fuel most global commerce transactions.   By definition, they are also a lucrative targets for fraudsters.  To protect cardholder data, merchants and vendors must adhere to the Payment Card Industry Data Security Standard (PCI DSS), which establishes a baseline level of security for organizations that store, process, or transmit payment card data.

The PCI Data Security Standard  has grown significantly in stature and coverage since its early beginnings. PCI DSS requirements are potent and comprehensive.  Any organizations that invests the time and effort to comply with them will be dramatically more secure and protected from cybersecurity threats.

 

Who Must Comply with PCI DSS ?

The term “standard” in the PCI Data Security Standard could lead merchants to incorrectly conclude that  implementation of PCI  compliance requirements is  “voluntary” or  “good to have” rather than a requirement.   In reality, PCI DSS is effectively an ironclad requirement/regulation.   Any merchant that  attempts to process a credit card, issued by a member organization, without having implemented  PCI-DSS, will likely be subject to a large fine.  This fine will be levied shortly after the merchant is barred from  processing any  transactions.   So, unless a merchant is planning to run a “cash only”  business,  the PCI-DSS  Standard and related certification is not optional.  

 

What are the PCI DSS  Requirements (Control Objectives) ?

PCI compliance requirements are built around  six “control objectives,” and each of these objectives has sub-requirements  that organizations must follow. A total of 12 compliance sub-requirements complement the six control objectives.  The summary may be found below:

 

Control Objectives  –  PCI DSS Requirements

1. Build and Maintain a Secure Network

• a. Install and maintain a firewall configuration to protect cardholder data.
• b. Do not use vendor-supplied defaults for system passwords and other security parameters.

2. Protect Cardholder Data

• a. Protect stored data.  
• b. Encrypt transmission of cardholder data across open, public networks.

3. Maintain a Risk/Vulnerability Management Program

• a. Use and regularly update anti-virus software.  
• b. Develop and maintain secure systems and applications.

4. Implement Strong Access Control Measures

• a. Restrict access to cardholder data by business need-to-know.  
• b. Assign a unique ID to each person with computer access.  
• c. Restrict physical access to cardholder data.

5. Implement Strong Monitoring Measures

• a. Track and monitor all access to network resources and cardholder data.
• b. Regularly test security systems and processes.

6. Maintain an Information Security Policy

• a. Maintain a policy that addresses information security.

 

Expanded Review of Requirements (Prescriptive)

1. Protect your cardholder data with firewalls. Firewalls are designed to block inbound and outbound network traffic from untrusted networks.
2. Change vendor-supplied default passwords and configurations. These defaults are freely published online and available for hackers to misuse.
3. Protect cardholder data at rest using strong encryption, hashes, and/or other methods that are part of industry-accepted best practices.
4. Protect cardholder data in transit using strong encryption, trusted keys, and trusted digital certificates.
5. Use anti-virus and anti-malware software to protect all systems, and keep it fully updated at all times with the latest patches and signatures.
6. Establish a process to identify vulnerabilities in systems and applications so that they can be remediated expeditiously.
7. Restrict all access to cardholder data by employing the principles of least privilege and “need to know.”
8. Assign a unique ID to each individual with access to systems and applications so that complete accountability of access is in place.
9. Use electronic access keys, surveillance and other security measures to restrict physical access to cardholder data and cardholder data systems.
10. Establish a logging and monitoring mechanism to track access and user activities related to cardholder data and cardholder network resources.
11. Perform annual penetration tests and comprehensive risk assessments on the cardholder data environment. Perform quarterly vulnerability scans.
12. Draft, maintain, and disseminate a comprehensive data security policy and update it annually or whenever there is a significant change in the technological/operational

 

How Does the Transaction Volume Impact PCI-DSS Compliance?

PCI compliance requirements applicable to a merchant/organization are highly dependent on how many credit, debit and pre-paid card transactions are processed by them each year. The greater the number of transactions, the higher the level of required compliance and compliance validation.   Two use cases next;

• More than 6 million transactions per year;    merchant must hire a specially trained assessor (PCI QSA) to conduct an audit every year.   
• Less than 6 million transactions per year;    merchants may not required to perform an audit, but must perform quarterly network scans to look for signs of trouble.

         As we will see below, there are exceptions triggering an audit requirement, for transactions less than six        million  (see  Four PCI-DSS Compliance Levels, Based on Transaction Volume, and Source Vendor  ).  Both American Express and  JCB (Japan Credit Bank) trigger Site Audits at lower transaction levels, than Visa, Mastercard, or Discover. 

 

What are the Four PCI Transaction Levels?

• Level 1:     > 6 milion transactions/year   
• Level 2:     1 million to 6 million transactions/year   
• Level 3:     20,000 to 1 million transactions/year  
• Level 4:     < 20,000 transactions/year

 

What are the Major Possible Components of PCI DSS Compliance, and the Deliverable Form?

• Self-Assessment Questionnaire  (SAQ)
• Attestation of Compliance  
• Quarterly Network Scans  
• Report on Compliance  
• Annual Audit  
• Special Situations & Elevated Compliance Requirements

 

When Do I Need to Select a PCI QSA  Firm ?

When an annual audit is required for PCI DSS compliance, it must be performed by a Payment Card Industry Qualified Security Assessor (PCI QSA) company.    A PCI QSA is certified by the PCI Security Standards Council to audit merchants for PCI DSS compliance.

The PCI Security Standards Council maintains a list of all the individuals and companies that have successfully completed training and certification as a PCI QSA.

A PCI compliance audit automatically applies to PCI level 1 compliance entities  –  those with more than 6 million transactions/year.  

Organizations that must complete a self-assessment questionnaire (SAQ) can voluntarily request the assistance of a PCI QSA  firm.   Voluntary interaction with a competent PCI QSA company can assist a  merchant  in becoming more cognizant of compliance requirements in the light of business/operational goals.   The PCI Security Standards Council website provides a list of certified PCI QSAs.

 

What is a SAQ?   How Many Different Types of SAQ’s are There ?

A SAQ is a self-assessment questionnaire.   There are eight of them, below.

 

• A:                 Card-not-present merchants (mail/telephone-order or e-commerce) who have completely                                     outsourced all cardholder data processing to a third-party vendor and do not store, process or                           transmit any cardholder data on their systems or premises 
• A-EP:           E-commerce merchants who partially outsource all payment processing to a PCI DSS                                           compliant firm.
•  B:                Merchants who do not store any electronic cardholder data and process payments either via                              standalone terminals.           
•  B-IP:            Merchants who process online payments using only standalone , PTS-approved payment                                    terminals.
•  C:                Merchants with payment application systems connected to the Internet and no electronic                                   cardholder data storage.
•  C-VT:          Merchants who externally host a web payment application hosted by a PCI DSS validated                                   third-party service provider. These types of merchants use a virtual payment terminal solution                           with no electronic cardholder data storage.
•  D:                Merchants not included in descriptions for the above SAQ types.   Applicable to all service                                 providers defined by a payment brand as eligible to complete an SAQ.
•  P2PE:         Merchants who process card data only via payment terminals included in a validated and                                     PCI SSC-listed Point-to-Point Encryption (P2PE) solution. No electronic cardholder data storage.

For each of the eight(8) Self-Assessment Questionnaires(SAQ’s), the number of questions to be answered may be found below;        { Note that D has been divided into two categories below }