5. What is PCI ???
PCI stands for the Payment Card Industry and is used to refer to:
The PCI Security Standards Council ™(PCI SSC), an industry body
founded by the major card brands to protect cardholder data.
Founders:
The global Security Standards created and maintained by the PCI SSC
to protect cardholder payment data.
• Key Learning Point: Compliance with PCI Security Standards is
mandatory for merchants and their service providers, and is enforced
by the major card brands who established the PCI SSC
5
6. What is PCI DSS?
“The PCI Data Security Standard represents a
common set of industry tools and measurements
to help ensure the safe handling of sensitive
information…the standard provides an actionable
framework for developing a robust account data
security process - including preventing, detecting
and reacting to security incidents.”
– PCI Standards Council –
7. Why are the PCI Security
Standards Important?
The Standards are important because they:
Protect cardholder data in order to help prevent data compromises and
subsequent fraud activity…
• Customers expect merchants and their acquirers to keep their card
account data safe
• Data compromises can result in significant fines and losses for
merchants and can damage the merchant’s reputation with
customers
• The number of data compromise incidents is increasing annually –
organized criminal enterprises are targeting vulnerable merchants
7
9. Key Definitions
Data definitions
• Cardholder data: PAN (Primary Account Number), Cardholder Name, Service Code.
Expiration Code.
• Sensitive authentication data: Full Magnetic Stripe Data, CCV, PIN (Personal
identification number).
Keywords
• PCI-DSS: Payment Card Industry Data Security Standards
• PA-DSS : Payment Applications Data Security Standards
• PTS: PIN Transaction Security
• QSA: Qualified Security Assessor
• SAQ: Self Assessment Questionnaire
• ASV: Approved Scanning Vendor
9
10. PCI Standards Boundary
• The PCI Data Security Standard (PCI DSS) If a business accepts or processes
payment cards, it must comply with the PCI DSS. It is the standard merchants,
processors, and service providers must meet for the complete protection of payment
cardholder data.
• The Payment Application-Data Security Standard (PA-DSS) and PIN Transaction
Security (PTS) (previously known as PIN Entry Device (PED)) security requirements
support the overall implementation of PCI DSS by allowing merchants to choose from
Council certified payment application software and PIN entry devices.
10
11. Recommended Understanding
PCI DSS tells you what you need to do; what standards you need to
meet to be compliant
PCI DSS does not tell you how to become compliant. That is individual
to your situation and your environment
- Your system
- Your processes
- Your vendors
- Your customers
Being compliant does necessary make you secure
Being secure leads to compliance – not the other way around
11
14. Determining your PCI Level
You need to assess where you are on the scale of risk:
Level 1
All Channels
6MM Visa or MC transactions per year
Level 2
All Channels
1MM - 6MM Visa or MC transactions per year
E-Commerce - >150,000 - 6 MM MC transactions per year
Level 3
20,000 - 150,000 e-commerce MC transactions per year
20,000 - 999,999 e-commerce Visa transactions per year
Level 4
<20,000 Visa or MC e-commerce transactions per year
<1MM non-e-commerce Visa or MC transactions per year
14
15. Validation requirements
Level 1 Merchants
Complete an Annual On-Site PCI Data Security Assessment in accordance with PCI Audit Procedures (Visa
website). You can use this template for your Report on Compliance (ROC).
Engage a Visa-approved Qualified Data Security Company to complete your ROC.
Validate the ROC by the due date (preferably sooner in case issues arise in the ROC. This will help eliminate
assessment of fines.)
Provide the ROC to Bank of America Merchant Services.
Merchant’s internal auditor may prepare the ROC, which must be accompanied by a letter signed by an
executive-level officer of Merchant’s organization validating the ROC.
Complete quarterly network scans to check your systems for vulnerabilities.
Complete annual penetration testing to test that your systems are hacker-resistant.
Ensure that these security scans are performed by a qualified independent scan vendor.
Level 2, 3 and 4 Merchants
Complete and validate an Annual PCI Self-Assessment Questionnaire.
Complete Quarterly Network Scans to check your systems for vulnerabilities.
Complete annual penetration testing to test that your systems are hacker-resistant.
Ensure that these security scans are performed by a qualified independent scan vendor.
15
16. Selecting the SAQ that Best Applies
to Your Organization
SAQ Description
A Card-not-present (e-commerce or mail/telephone-order) merchants, all
cardholder data functions outsourced. This would never apply to face-to-
face merchants.
B Imprint Only merchants with no electronic cardholder data storage, or
standalone, dial out terminal merchant with no electronic cardholder data
storage
C-VT Merchant using only web-based virtual terminals, no cardholder data storage
C Merchants with payment application systems connected to the internet, no
electronic cardholder data storage
D All other merchants not included in descriptions for SAQ types A through C
above, and all service providers defined by a payment brand as eligible to
complete an SAQ
16
22. Principles
SECURE TRACK AUDIT
• You need to ensure that your data is first secured …
both physical and electronically.
• You need to ensure you have mechanism in place to
track who access your data and when
• You need to review your tracking (audit) to look for
anomalies
22
23. PCI DSS – Requirements
Six Goals, Twelve Requirements
Build and Maintain a 1. Install and maintain a firewall configuration to protect
Secure Network cardholder data
2. Do not use vendor-supplied defaults for system passwords
and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public
networks
Maintain a Vulnerability 5. Use and regularly update anti-virus software or programs
Management Program
6. Develop and maintain secure systems and applications
Implement Strong 7. Restrict access to cardholder data by business need-to-know
Access Control
Measures 8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and 10.Track and monitor all access to network resources and
Test Networks cardholder data
11.Regularly test security systems and processes
Maintain an Information 12.Maintain a policy that addresses information security for
Security Policy employees and contractors
23
24. PA-DSS Introduction
Formerly known as -PABP (Payment Application Best Practices)
supervised by Visa
Goals
Develop secure payment applications that do not store
prohibited data, such as full magnetic stripe, CVV2 or PIN
data
Ensure their payment applications support compliance
with the PCI DSS
The requirements for the PA-DSS are derived from the PCI DSS
Why focus on software? Vulnerable payment applications are
currently the leading cause of data compromise incidents, particularly
for small merchants.
24
25. PA-DSS Requirements
Fourteen Requirements
Requirement 1 Do not retain full magnetic stripe, card validation code or value
(CAV2, CID, CVC2, CVV2), or PIN block data
Requirement 2 Protect stored cardholder data
Requirement 3 Provide secure authentication features
Requirement 4 Log payment application activity
Requirement 5 Develop secure payment applications (5.2 - OWASP Guide, SANS CWE Top 25,
CERT Secure Coding)
Requirement 6 Protect wireless transmissions
Requirement 7 Test payment applications to address vulnerabilities
Requirement 8 Facilitate secure network implementation
Requirement 9 Cardholder data must never be stored on a server connected to the Internet
Requirement 10 Facilitate secure remote software updates
Requirement 11 Facilitate secure remote access to payment application
Requirement 12 Encrypt sensitive traffic over public networks
Requirement 13 Encrypt all non-console administrative access
Requirement 14 Maintain instructional documentation and training programs
for customers, resellers, and integrators
25
26. SAQ Objectives
Self Assessment Questionnaires
• Based on industry feedback
• Flexibility for multiple merchant
Self-Assessment
Questionnaire (SAQ) A types
• Providing guidance for the intent
and applicability of the
underlying requirements
26
27. Self Assessment Questionnaires
SAQ
Validatio Description SAQ
n Type
Card-Not-Present (e-commerce or MO/TO) merchants, all A
1 cardholder data functions outsourced. This would never
apply to face-to-face merchants <11 Questions
B
2 Imprint-only merchants with no cardholder data storage
21 Questions
B
Stand alone dial-up terminal merchants, no cardholder data
3
storage 21 Questions
C
Merchants with payment application systems connected to
4
the Internet, no cardholder data storage 38 Questions
All other merchants (not included in descriptions for SAQs A, D
5 B or C above) and all service providers defined by a
payment brand as eligible to complete an SAQ Full DSS
27
28. Reports
Regular reports are required for PCI DSS
compliance.
All merchants, service providers and processors
may be required to submit quarterly scan
reports,
All reports must be performed by a PCI SSC
approved ASV
28
Key Learning Point: Using PCI compliant equipment and software can support merchant efforts to become PCI DSS compliant, but does not make a merchant PCI DSS compliant. The PCI DSS covers all aspects of how a merchant protects cardholder data, which goes beyond using secure equipment and software.
Section divider 1
Key Learning Point : Not all PCI DSS requirements apply to all merchants. Merchants must review each requirement to determine applicability to the merchant’s card payment acceptance systems and business processes.