PCI-DSS stands for payment card industry data security standard. In September 2006, 5 major credit card brands(Visa International, MasterCard, American Express, Discover, and JCB) established the payment card Industry Security Standards Council (PCI-SSC). PCI-SSC created and continues to oversee PCI-DSS, which is an information security standard for organizations that accept or process credit cards in any way. Failure to comply with the rules outlined in this standard can result in heavy penalties. For example one Tennessee based retailer was charged $13.2 million by Visa for failure to meet the standards. Typically fines range from 5-10k per month until compliance is achieved, but these fines increase the longer a company doesn’t meet compliance. Also, fines ranging from $50 to $90 can be charged per affected customer if a data breach occurs.
How does PCI-DSS work?
This regulation affects all companies that accept/process credit cards or accept, transmit or store cardholder information. In the event of data breach, all of those companies are directly accountable to the card company and the banks that handle the money involved in the transaction. Cardholder information includes any of the following:
– Primary Account Number (PAN)
– Cardholder Name
– Expiration Date
– Service Code
– Magnetic strip data
– CAV2, CVC2, CVV2, CID
– Card PINS
PCI-DSS Security Standards
PCI-DSS mandates that companies meet certain security goals, meant to ensure that the company’s infrastructure is secure.
In order to make this easier to implement, the PCI website provides these security tips for meeting compliance requirements:
Buy and use only approved PIN entry devices at your points-of-sale.
Buy and use only validated payment software at your POS or website shopping cart.
Do not store any sensitive cardholder data in computers or on paper.
Use a firewall on your network and PCs.
Make sure your wireless router is password-protected and uses encryption.
Use strong passwords. Be sure to change default passwords on hardware and software – most are unsafe.
Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
Teach your employees about security and protecting cardholder data.
Follow the PCI Data Security Standard.
Ensure peer-to-peer encryption
This diagram shows how all of these controls fit into the payment processing workflow:
Source @ pcisecuritystandards.org
How to be Compliant?
There are 3 things every company needs to complete yearly to be compliant to PCI-DSS. You need to complete an Attestation of Compliance form, a quarterly network scan and an assessment.
Attestation of Compliance
This is a form that is filled out by merchants to attest to their compliance with the PCI-DSS standards. It is submitted along with the other two elements below to the council to show that your company has taken all required action. You can find a link to download the form here, under reporting templates and forms.
Quarterly Network Scan
PCI DSS mandates internal and external network vulnerability scans for all systems and network segments within the scope of PCI DSS. This must be performed at least quarterly and after any significant change in the network. Significant changes include new system installations, changes in network topology, change in firewall/security group rules etc. The scan must be performed by a payment card industry Security Standards Council approved Security Vendor (PCI SSC ASV). Once the scan is performed, you will get a report of all the vulnerabilities that the vendor found on your network. In order to pass the test and be approved, you must fix all the vulnerabilities ranked critical, high risk, medium risk or with a Common Vulnerability Scoring System (CVSS) of 4.0 or higher. This is a sample summary below:
PCI Approved Assessment
The specific requirements for PCI-DSS assessments vary depending on the “level” of your company. There are four levels that all companies under PCI-DSS fit into:
Source @ imperva
Level 1 Organizations
For Level 1 companies the assessment must be an external audit performed by a QSA (Qualified Security Assessor) or ISA (Internal Security Assessor). They will perform an on site evaluation of your company on the following areas:
Review your documentation and technical information
Determine whether the PCI DSS’s requirements are being met
Evaluate your compensating controls
The auditor will then complete a RoC (Report on Compliance), which will be given to your company’s acquiring banks/vendors to demonstrate your compliance.
Level 2-4 Organizations
Organizations in PCI Levels 2-4 can complete an SAQ (self assessment questionnaire) instead of an external audit. However, the type of SAQ you complete varies depending on how you process your payment card information and your company’s compliance level. Their website provides a breakdown of each SAQ and you can pick the one that best describes your company.
Recap
PCI-DSS is a security standard that applies to all companies that accept/process credit cards for payment or collect customer payment information. It outlines a baseline set of security standards that all companies need to adhere too. In addition to that, each company has 3 responsibilities that need to be upheld yearly. You must complete an attestation of compliance where you give your word that your company has met its requirements. Second, you must perform a network vulnerability scan every quarter and fix any serious vulnerabilities. Lastly, you have to perform an assessment of your company. This assessment will vary depending on the amount of credit card payments you process per year. You can find a link to the complete PCI-DSS reference guide here.