The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards for organizations that handle branded credit cards. The PCI DSS applies to ANY organization that accepts, transmits or stores any cardholder data. The PCI Standard is administered by the Payment Card Industry Security Standards Council. This Council’s mission is to enhance global payment account data security.
PCI DSS was created to increase controls around cardholder data to reduce credit card fraud in 2004.
PCI SSC is a requirement for any business that processes credit or debit card transactions. PCI certification is also considered the best way to safeguard sensitive data and information, thereby helping businesses build long lasting and trusting relationships with their customers.
Source: en.wikipedia.org
PCI DSS Certification
PCI certification ensures the security of card data at your business through a set of requirements established by the PCI SSC. There are some commonly known best practices, such as:
- Installation of firewalls
- Encryption of data transmissions
- Use of anti-malware software
PCI DSS Compliance Levels
PCI compliance is divided into four levels, based on the annual number of credit or debit card transactions a business processes. All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’).
- Level 1: For any merchant that processes over 6M Visa transactions per year. Conducted by an authorized PCI auditor, they must undergo an internal audit once a year. In addition, once a quarter they must submit to a PCI scan by an Approved Scanning Vendor (ASV).
- Level 2: For any merchant that processes 1M to 6M Visa transactions per year. They’re required to complete an assessment once a year using a Self-Assessment Questionnaire (SAQ). Additionally, a quarterly PCI scan may be required.
- Level 3: For any merchant that processes 20,000 to 1M Visa e-commerce transactions per year. They must complete a yearly assessment using the relevant SAQ. A quarterly PCI scan may also be required.
- Level 4: Applies to merchants processing fewer than 20,000 e-commerce transactions annually, or those that process up to one million real-world transactions. A yearly assessment using the relevant SAQ must be completed and a quarterly PCI scan may be required.
Source: imperva.com
12 Requirements of PCI
Protect system with firewalls: Firewalls restrict incoming and outgoing network traffic through rules and criteria configured by your organization. Hardware firewalls are the more robust security option. They can protect an entire network and segment its internal areas.
Configure passwords and settings: Out-of-the-box devices, such as routers or POS systems, come with factory settings like default usernames and passwords. You shouldn’t keep vendor-supplied defaults around.
Protect stored cardholder data: Stored card data must be encrypted using industry-accepted algorithms (e.g., AES-256). Additionally, the encryption keys themselves must also be protected. To fulfill this requirement, you need to create and document a current cardholder data (CHD) flow diagram for all card data flows in your organization. A CHD flow diagram is a graphical representation of how card data moves through an organization. Also, you should regularly run a data discovery tool like PANscan or PIIscan. These tools help identify the location of unencrypted PAN and other sensitive information.
Encrypt transmission of cardholder data across open, public networks: For requirement 4, you need to know where you send cardholder data. Here are common places where primary account numbers (PAN) are sent: Processors, Backup servers, Third parties that store or handle PAN, Outsourced management of systems or infrastructure, and corporate offices.
Use and regularly update anti-virus software: Maintaining an up-to-date anti-malware program will prevent known malware from infecting systems. Also, be sure you or your POS vendor are regularly running your software’s anti-virus scans. Then you can configure systems to alert and report on suspicious activity, such as new files added to known malware directories or unauthorized access attempts.
Regularly update and patch systems: Be vigilant and consistently update the software associated with your system. Quickly implementing security updates is crucial to your security posture. Patch all critical components in the card flow pathway, including: Internet browsers, Firewalls, Application software, Databases, POS terminals, and Operating systems. To stay updated, ask your software vendors to put you on their patch/upgrade notification list.
Restrict access to cardholder data by business need to know: Configure administrator and user accounts to prevent exposure of sensitive data to those who don’t need this information. Authorized users must fit into one of the roles you outline.
Assign a unique ID to each person with computer access: user IDs and passwords need to be sufficiently complex and unique. No password should be considered “uncrackable,” which is why, as of February 1, 2018, all non-console administrative access (remote access) to in-scope systems requires multi-factor authentication.
Restrict physical access to workplace and cardholder data: In fact, most data thefts occur in the middle of the day, when staff is often too busy with their various assignments to notice someone walking out of the office with a server, company laptop, phone, etc. You are not allowed to store sensitive information like payment card data out in the open. You will also need to implement automated lockout/timeout controls on workstations, periodically inspect all devices, and most importantly.
Implement logging and log management: Logs are only useful if they are reviewed. So, you must review logs at least daily to search for errors, anomalies, and suspicious activities that deviate from the norm. You’re also required to have a process in place to respond to these anomalies and exceptions. Log monitoring systems, like Security Information and Event Monitoring tools (SIEM), can help you oversee network activity, inspect system events, alert of suspicious activity, and store user actions that occur inside your systems.
Conduct vulnerability scans and penetration tests: Your data could be left vulnerable due to defects in web servers, web browsers, email clients, POS software, operating systems, and server interfaces. Fulfilling requirement 6 (installing security updates and patches) can help correct many of these defects and vulnerabilities before attackers have the opportunity to leverage them. But in order to be sure you’ve successfully patched these vulnerabilities, you need to be able to find them and test them. For that you need to perform regular vulnerability scanning and penetration testing. A vulnerability scan is an automated, high-level test that looks for and reports potential vulnerabilities. All external IPs and domains exposed in the CDE are required to be scanned by a PCI Approved Scanning Vendor (ASV) at least quarterly. A penetration test is an exhaustive, live examination designed to exploit weaknesses in your system. Read more about penetration test.
Documentation and risk assessments: You will need to include the following information in your documentation: Employee manuals, Policies and procedures, Third-party vendor agreements, Incident response plans. Also, you must perform an annual, formal risk assessment that identifies critical assets, threats, and vulnerabilities.
This section is abbreviated from securitymetrics.com
———————————
Sources:
