HOME

TheInfoList



OR:

The Payment Card Industry Data Security Standard (PCI DSS) is an
information security Information security is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data ...
standard used to handle credit cards from major card brands. The standard is administered by the
Payment Card Industry Security Standards Council The Payment Card Industry Security Standards Council (PCI SSC) was formed by American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc. on 7 September 2006, with the goal of managing the ongoing evolution of t ...
, and its use is mandated by the card brands. It was created to better control cardholder data and reduce
credit card fraud Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The P ...
. Validation of compliance is performed annually or quarterly with a method suited to the volume of transactions: * Self-assessment questionnaire (SAQ) * Firm-specific Internal Security Assessor (ISA) * External
Qualified Security Assessor Qualified Security Assessor (QSA) is a designation conferred by the PCI Security Standards Council to those individuals that meet specific information security education requirements, have taken the appropriate training from the PCI Security Stand ...
(QSA)


History

The major card brands had five different security programs: * Visa's Cardholder Information Security Program * Mastercard's Site
Data Protection Data protection may refer to: * Information privacy, also known as data privacy * Data security {{Authority control ...
*
American Express American Express Company or Amex is an American bank holding company and multinational financial services corporation that specializes in payment card industry, payment cards. It is headquartered at 200 Vesey Street, also known as American Expr ...
's Data Security Operating Policy *
Discover Discover may refer to: Art, entertainment, and media * ''Discover'' (album), a Cactus Jack album * ''Discover'' (magazine), an American science magazine * "Discover", a song by Chris Brown from his 2015 album ''Royalty'' Businesses and bran ...
's Information Security and Compliance * JCB's Data Security Program The intentions of each were roughly similar: to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process, and transmit cardholder data. To address interoperability problems among the existing standards, the combined effort by the principal credit-card organizations resulted in the release of version 1.0 of PCI DSS in December 2004. PCI DSS has been implemented and followed worldwide. The Payment Card Industry Security Standards Council (PCI SSC) was then formed, and these companies aligned their policies to create the PCI DSS. MasterCard, American Express, Visa, JCB International and Discover Financial Services established the PCI SSC in September 2006 as an administrative and governing entity which mandates the evolution and development of the PCI DSS. Independent private organizations can participate in PCI development after they register. Each participating organization joins a SIG (Special Interest Group) and contributes to activities mandated by the group. The following versions of the PCI DSS have been made available:


Requirements

The PCI DSS has twelve requirements for compliance, organized into six related groups known as control objectives: # Build and maintain a secure network and systems # Protect cardholder data # Maintain a vulnerability management program # Implement strong access-control measures # Regularly monitor and test networks # Maintain an information security policy Each PCI DSS version has divided these six requirement groups differently, but the twelve requirements have not changed since the inception of the standard. Each requirement and sub-requirement is divided into three sections: # PCI DSS requirements: Define the requirement. The PCI DSS endorsement is made when the requirement is implemented. # Testing: The processes and methodologies carried out by the assessor for the confirmation of proper implementation. # Guidance: Explains the purpose of the requirement and the corresponding content, which can assist in its proper definition. In version 4.0.1 of the PCI DSS, the twelve requirements are: # Install and maintain network security controls. # Apply secure configurations to all system components. # Protect stored account data. # Protect cardholder data with strong cryptography during transmission over open, public networks. # Protect all systems and networks from
malicious software Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...
. # Develop and maintain secure systems and software. # Restrict access to system components and cardholder data by business
need to know The term "need to know" (alternatively spelled need-to-know), when used by governments and other organizations (particularly those related to military or intelligence), describes the restriction of data which is considered very confidential and ...
. # Identify users and
authenticate Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating ...
access to system components. # Restrict physical access to cardholder data. # Log and monitor all access to system components and cardholder data. # Test security of systems and networks regularly. # Support
information security Information security is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data ...
with organizational policies and programs.


Updates and supplemental information

The PCI SSC (Payment Card Industry Security Standards Council) has released supplemental information to clarify requirements, which includes: * Information Supplement: Requirement 11.3 Penetration Testing * Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified * Navigating the PCI DSS - Understanding the Intent of the Requirements * PCI DSS Wireless Guidelines * PCI DSS Applicability in an EMV Environment * Prioritized Approach for PCI DSS * Prioritized Approach Tool * PCI DSS Quick Reference Guide * PCI DSS Virtualization Guidelines * PCI DSS Tokenization Guidelines * PCI DSS 2.0 Risk Assessment Guidelines * The lifecycle for Changes to the PCI DSS and PA-DSS * Guidance for PCI DSS Scoping and Segmentation * PCI DSS v4.0 Resource Hub


Reporting levels

Companies subject to PCI DSS standards must be PCI-compliant; how they prove and report their compliance is based on their annual number of transactions and how the transactions are processed. An acquirer or payment brand may manually place an organization into a reporting level at its discretion. Merchant levels are: * Level 1 – Over six million transactions annually * Level 2 – Between one and six million transactions * Level 3 – Between 20,000 and one million transactions, and all e-commerce merchants * Level 4 – Less than 20,000 transactions Each card issuer maintains a table of compliance levels and a table for service providers.


Compliance validation

Compliance validation involves the evaluation and confirmation that the security controls and procedures have been implemented according to the PCI DSS. Validation occurs through an annual assessment, either by an external entity, or by self-assessment.


Report on Compliance

A Report on Compliance (ROC) is conducted by a PCI Qualified Security Assessor (QSA) and is intended to provide independent validation of an entity's compliance with the PCI DSS standard. A completed ROC results in two documents: a ROC Reporting Template populated with detailed explanation of the testing completed, and an Attestation of Compliance (AOC) documenting that a ROC has been completed and the overall conclusion of the ROC.


Self-Assessment Questionnaire

The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool intended for small to medium sized merchants and service providers to assess their own PCI DSS compliance status. There are multiple types of SAQ, each with a different length depending on the entity type and payment model used. Each SAQ question has a yes-or-no answer, and any "no" response requires the entity to indicate its future implementation. As with ROCs, an attestation of compliance (AOC) based on the SAQ is also completed.


Security Assessors

The PCI Security Standards Council maintains a program to certify companies and individuals to perform assessment activities.


Qualified Security Assessor

A
Qualified Security Assessor Qualified Security Assessor (QSA) is a designation conferred by the PCI Security Standards Council to those individuals that meet specific information security education requirements, have taken the appropriate training from the PCI Security Stand ...
(QSA) is an individual certified by the PCI Security Standards Council to validate another entity's PCI DSS compliance. QSAs must be employed and sponsored by a QSA Company, which also must be certified by the PCI Security Standards Council.


Internal Security Assessor

An Internal Security Assessor (ISA) is an individual who has earned a certificate from the PCI Security Standards Council for their sponsoring organization, and can conduct PCI self-assessments for their organization. The ISA program was designed to help Level 2 merchants meet Mastercard compliance validation requirements. ISA certification empowers an individual to conduct an appraisal of his or her association and propose security solutions and controls for PCI DSS compliance. ISAs are in charge of cooperation and participation with QSAs.


Compliance versus validation of compliance

Although the PCI DSS must be implemented by all entities which process, store or transmit cardholder data, formal validation of PCI DSS compliance is not mandatory for all entities. Visa and Mastercard require merchants and service providers to be validated according to the PCI DSS; Visa also offers a Technology Innovation Program (TIP), an alternative program which allows qualified merchants to discontinue the annual PCI DSS validation assessment. Merchants are eligible if they take alternative precautions against fraud, such as the use of
EMV EMV is a payment method based on a technical standard for smart card, smart payment cards and for payment terminals and automated teller machines which can accept them. EMV stands for "Europay International, Europay, Mastercard, and Visa Inc., ...
or point-to-point encryption.
Issuing bank An issuing bank is a bank that offers card association branded payment cards directly to consumers, such as credit cards, debit cards, contactless devices such as key fobs as well as prepaid cards. The name is derived from the practice of issuing ...
s are not required to undergo PCI DSS validation, although they must secure sensitive data in a PCI DSS-compliant manner. Acquiring banks must comply with PCI DSS and have their compliance validated with an
audit An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon." Auditing al ...
. In a security breach, any compromised entity which was not PCI DSS-compliant at the time of the breach may be subject to additional penalties (such as fines) from card brands or acquiring banks.


Legislation in the United States

Compliance with PCI DSS is not required by federal law in the
United States The United States of America (USA), also known as the United States (U.S.) or America, is a country primarily located in North America. It is a federal republic of 50 U.S. state, states and a federal capital district, Washington, D.C. The 48 ...
, but the laws of some states refer to PCI DSS directly or make equivalent provisions. Legal scholars Edward Morse and Vasant Raval have said that by enshrining PCI DSS compliance in legislation, card networks reallocated the cost of fraud from card issuers to merchants. In 2007, Minnesota enacted a law prohibiting the retention of some types of payment-card data more than 48 hours after authorization of a transaction. Nevada incorporated the standard into state law two years later, requiring compliance by merchants doing business in that state with the current PCI DSS and shielding compliant entities from liability. The Nevada law also allows merchants to avoid liability by other approved security standards.Edward A. Morse; Vasant Raval,
Private Ordering in Light of the Law: Achieving Consumer Protection through Payment Card Security Measures
'' DePaul Business & Commercial Law Journal 10, no. 2 (Winter 2012): 213-266
In 2010,
Washington Washington most commonly refers to: * George Washington (1732–1799), the first president of the United States * Washington (state), a state in the Pacific Northwest of the United States * Washington, D.C., the capital of the United States ** A ...
also incorporated the standard into state law. Unlike Nevada's law, entities are not required to be PCI DSS-compliant; however, compliant entities are shielded from liability in the event of a data breach.


Controversy and criticism

Visa and Mastercard impose fines for non-compliance. Stephen and Theodora "Cissy" McComb, owners of Cisero's Ristorante and Nightclub in
Park City, Utah Park City is a city in Utah, United States. Most of the city is within Summit County, Utah, Summit County, with some portions extending into Wasatch County, Utah, Wasatch County. It is considered to be part of the Wasatch Back. The city is sou ...
, were fined for a breach for which two forensics firms could not find evidence: Michael Jones, CIO of
Michaels Michaels Stores, Inc., doing business as Michaels, is an American privately held arts and crafts retail chain. It is North America's largest provider of arts, crafts, framing, floral and wall décor, and merchandise for makers and do-it-yourse ...
, testified before a U.S. Congressional subcommittee about the PCI DSS: The PCI DSS may compel businesses pay more attention to IT security, even if minimum standards are not enough to eradicate security problems.
Bruce Schneier Bruce Schneier (; born January 15, 1963) is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is an Adjunct Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman ...
spoke in favor of the standard:
PCI PCI may refer to: Business and economics * Payment card industry, businesses associated with debit, credit, and other payment cards ** Payment Card Industry Data Security Standard, a set of security requirements for credit card processors * Prov ...
Council general manager Bob Russo responded to objections by the
National Retail Federation The National Retail Federation (NRF) is the world's largest retail trade association. Its members include department stores, catalog, Internet, and independent retailers, restaurants, grocery stores, multi-level marketing companies and vendors. ...
: Visa chief enterprise risk officer Ellen Richey said in 2018, "No compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach". However, a 2008 breach of
Heartland Payment Systems Heartland Payment Systems, Inc. is a U.S.-based payment processing and technology provider. Founded in 1997, Heartland Payment Systems' last headquarters were in Princeton, New Jersey. The company was acquired by Global Payments for $4.3 billion ...
(validated as PCI DSS-compliant) resulted in the compromising of one hundred million card numbers. Around that time, Hannaford Brothers and
TJX Companies The TJX Companies, Inc. (abbreviated TJX) is an American multinational off-price department store corporation, headquartered in Framingham, Massachusetts. It was formed as a subsidiary of Zayre Corp. in 1987, and became the legal successor t ...
(also validated as PCI DSS-compliant) were similarly breached as a result of the allegedly-coordinated efforts of
Albert Gonzalez Albert Gonzalez (born 1981) is an American computer hacker, computer criminal and police informer, who is accused of masterminding the combined credit card theft and subsequent reselling of more than 170 million card and ATM numbers from 200 ...
and two unnamed Russian hackers. Assessments examine the compliance of merchants and service providers with the PCI DSS at a specific point in time, frequently using sampling to allow compliance to be demonstrated with representative systems and processes. It is the responsibility of the merchant and service provider to achieve, demonstrate, and maintain compliance throughout the annual validation-and-assessment cycle across all systems and processes. A breakdown in merchant and service-provider compliance with the written standard may have been responsible for the breaches; Hannaford Brothers received its PCI DSS compliance validation one day after it had been made aware of a two-month-long compromise of its internal systems. Compliance validation is required only for level 1 to 3 merchants and may be optional for Level 4, depending on the card brand and acquirer. According to Visa's compliance validation details for merchants, level-4 merchant compliance-validation requirements ("Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually") are set by the acquirer. Over 80 percent of payment-card compromises between 2005 and 2007 affected level-4 merchants, who handled 32 percent of all such transactions.


See also

*
Penetration test A penetration test, colloquially known as a pentest, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. The test is perform ...
*
Vulnerability management Vulnerability management is the "cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating" software vulnerabilities. Vulnerability management is integral to computer security and network security, and must not be ...
*
Wireless LAN A wireless LAN (WLAN) is a wireless computer network that links two or more devices using wireless communication to form a local area network (LAN) within a limited area such as a home, school, computer laboratory, campus, or office building ...
*
Wireless security Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to ...


References


External links


Official PCI Security Standards Council Site
{{PCISSC Payment cards Computer law Information privacy Security compliance