The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard designed specifically for the organizations that store, process, transmit, the cardholder data. This standard was created to increase controls around cardholder data to reduce credit card fraud.
The Problem!!
Initially, Card companies like visa, MasterCard, American Express, Discover, and JCB were individually trying to implement additional levels of protection for card issuers. They were trying to ensure that the minimum level of security was met when processing, storing or transmitting cardholder data. The problem was that due to individual custom implementation, there arose the issue of interoperability. Merchants had difficulties because their POS terminals had to comply with every card company's specific standard. There was a need to address this problem
The Solution!!
To address this interoperability issue and to solve the problems of merchants related to compliance, these leading card companies (visa, MasterCard, American Express, Discover, and JCB) made a joint venture. They released V1.0 of PCI DSS in 2004. Since then it is implemented and followed across the globe. PCI SSC(Security Standards Council) was formed by 5 companies in September 2006 as an administration/governing entity that mandates the evolution and development of PCI DSS.
Now let us dive straight into this framework.
Compliance Levels
PCI DSS is divided into 4 compliance levels. They are based on the number of transactions processed per year. These levels determine what needs to be done by an enterprise to remain compliant. (There are many abbreviations in this section, we are going to look at them in detail ahead)
Level 1:-
- More than 6 million transactions are processed annually
- Must complete an annual report on compliance (ROC) through a qualified Security Assessor (QSA)
- Must complete Quarterly network scans by approved Scanning Vendor(ASV)
- Must complete Attestation of compliance form
Level 2:-
- 1 to 6 million transactions are processed annually
- Complete an annual Self Assessment Questionnaire(SAQ)
- Must complete Quarterly network scans by approved Scanning Vendor(ASV)
- Must complete Attestation of compliance form
Level 3:-
- 20,000 to a million card transactions processed annually
- Complete an Annual SAQ
- Complete a quarterly network scan by an ASV
- Complete the Attestation of Compliance Form
Level 4:-
- Less than 20,000 transactions are processed annually
- Complete an Annual SAQ
- Complete a quarterly network scan by an ASV
- Complete the Attestation of Compliance Form
Requirements
The Requirements for PCI-DSS are categorized into 6 control objectives. These 6 control objectives further expand to form 12 requirements in total. We are going to look at them now
C1:Build and Maintain a Secure Network and Systems
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
C2:Protect Cardholder Data
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
C3:Maintain a Vulnerability Management Program
5. Protect all systems against malware and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications
C4:Implement Strong Access Control Measures
7. Restricting access to cardholder data to only authorized personnel. Systems and processes must be used to restrict access to cardholder data on a “need to know” basis.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
C5:Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes. This is important because new vulnerabilities are constantly discovered and the system needs to be patched against those vulnerabilities.
C6:Maintain an Information Security Policy.
12. A strong security policy includes making personnel understand the sensitivity of data and their responsibility to protect it.
Okay!! Now you have the compliance levels and all the requirements in place. But how do you assess if security controls and procedures are properly implemented or not?
It is done by Validation of Compliance!!!
Validation of compliance
It involves the evaluation and confirmation that the security controls and procedures are implemented properly as per the policy requirements. It has the following entities
Qualified Security Assessor (QSA)
- He/She is the individual certified by the PCI security standards council.
- He/She can audit merchants for PCI-DSS compliance standards
Internal Security Assessor(ISA)
- He/She is the individual certified by the PCI security standards council.
- He/She has the ability to do self-assessment for the organization
- A certification empowers a worker to do an inward appraisal of his/her association and propose security solutions/ controls for the PCI DSS compliance.
- As the ISAs are upheld by the organization for the PCI SSC affirmation, they are in charge of cooperation and participation with QSAs
Report on Compliance (ROC)
- A Report on Compliance is a form that has to be filled by all level 1 merchants Visa merchants undergoing a PCI DSS audit.
- The ROC form is used to verify that the merchant being audited is compliant with the PCI DSS standard.
- ROC confirms that policies, strategies, approaches & workflows are appropriately implemented/developed by the organization for the protection of cardholders against scams/frauds card-based business transactions.
Self-Assessment Questionnaire (SAQ)
- The Self-Assessment Questionnaire is a set of Questionnaires documents that merchants are required to complete every year and submit to their transaction Bank.
- The PCI DSS self-assessment questionnaires (SAQs) are validation tools intended to assist merchants and service providers to report the results of their PCI DSS self-assessment.
- There are eight different types of SAQs, each with a different level of complexity. The most basic is the SAQ-A, consisting of just 22 questions; the most complex is the SAQ-D, consisting of 329 questions.
This was a rough overview of the PCI-DSS framework. I will be posting more such frameworks for beginners so stay tuned.
Refrences
https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
