PCI DSS

From Wikipedia, the free encyclopedia

Jump to: navigation, search

PCI DSS stands for Payment Card Industry Data Security Standard, and is a worldwide security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC).

The PCI security standards are technical and operational requirements that were created to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats. The standards apply to all organizations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions. A company processing, storing, or transmitting cardholder data must be PCI DSS compliant.

The PCI SSC ("Council") is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer risk losing their ability to process credit card payments and being audited and/or fined.[1] All in-scope companies must validate their compliance annually. This validation can be conducted by Qualified Security Assessor - i.e. companies that have completed a three-step certification process[2] by the PCI SSC which recognizes them as being qualified to assess compliance to the PCI DSS standard. However, smaller companies have the option to use a Self-Assessment Questionnaire (SAQ).[3] Whether this questionnaire needs to be validated by a QSA depends on the requirements of the card brands in that merchant's region.

Contents

[edit] Requirements

The current version of the standard (1.2)[4] specifies 12 requirements for compliance, organized into six logically related groups, which are called "control objectives."

Control Objectives PCI DSS Requirements
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security

[edit] History

PCI DSS originally began as five different programs: Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program. Each company’s intentions were roughly similar: to create an additional level of protection for customers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. The Payment Card Industry Security Standards Council (PCI SSC) was formed, and on 15 December 2004, these companies aligned their individual policies and released the Payment Card Industry Data Security Standard (PCI DSS).

In September 2006, the PCI standard was updated to version 1.1 to provide clarification and minor revisions to version 1.0.

PCI is one of multiple data security standards that have emerged over the past decade; BS7799, ISF Standards, Basel II, Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act of 2002,

Version 1.2 was released on October 1, 2008.[5] Version 1.1 will be "sunsetted" on December 31, 2008.[6] v1.2 did not change requirements, only enhanced clarity, improved flexibility, and addressed evolving risks/threats.

[edit] Updates and supplemental information

The PCI SSC has released several supplemental pieces of information to clarify various requirements. These documents include the following

  • Information Supplement: Requirement 11.3 Penetration Testing[7]
  • Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified[8]
  • Navigating the PCI SSC - Understanding the Intent of the Requirements[9]

[edit] Compliance and Wireless LANs

The PCI DSS recognizes wireless LANs as public networks and automatically assumes they are exposed to vulnerabilities and threats. PCI DSS also provides two specific security guidelines to prevent breaches coming in from wireless networks used in any environments containing credit card data. They are:

[edit] Controversies and criticisms

It is suggested by some IT security professionals that the PCI DSS does little more than provide a minimal baseline for security.

"The fact is you can be PCI-compliant and still be insecure. Look at online application vulnerabilities. They're arguably the fastest growing area of security, and for good reason — exposures in customer-facing applications pose a real danger of a security breach." - Greg Reber[10]

Still others believe that PCI DSS is a step toward making all businesses pay more attention to IT security, even if minimum standards are not enough to completely eradicate security problems.

"Regulation--SOX, HIPAA, GLB, the credit-card industry's PCI, the various disclosure laws, the European Data Protection Act, whatever--has been the best stick the industry has found to beat companies over the head with. And it works. Regulation forces companies to take security more seriously, and sells more products and services." - Bruce Schneier[11]

Companies have had security breaches while being registered as PCI DSS compliant. In 2008 one of the largest payment service providers, Heartland Payment Processing Systems, suffered a data compromise which has been estimated by some as exceeding one hundred million card numbers.[12] Other notables include the Hannaford Brothers and the Okemo Mountain Resort, each of which was PCI compliant. It has been noted that this may be an indication of the limits of a snapshot certification; the evaluation cannot ensure that the target company will maintain the good practices seen in an audit.[13] This explanation does not, however seem to explain the compromise of merchants such as Hannaford Bros Co, which received its PCI DSS compliance certification one day after it had been made aware of a two-month long compromise of its internal systems.[14]

The definition of compliant has also been open to interpretation, especially regarding how temporary such a declaration might be. Declaring a company compliant appears to have some temporal persistence,[citation needed] yet the PCI Standards Council General Manager Bob Russo indicates that liabilities could change depending on the state of a given organization at the point in time when an actual breach occurs.[15]

Similar to other industries, a secure state could be more costly to some organizations than accepting and managing the risk of confidentiality breaches[citation needed]. However, many studies have shown that this cost is justifiable.[16]

[edit] Other PCI standards

The PCI Security Standards also include:

  • PIN Entry Device (PED) Security Requirements

PCI PED applies to manufacturers who specify and implement device characteristics and management for personal identification number (PIN) entry terminals used for payment card financial transactions. Merchants should use only PIN entry devices that are tested and approved by the PCI SSC. Authorized devices are listed at: List of PCI Approved PIN Entry Devices

  • Payment Application Data Security Standard (PA-DSS)

The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. Most card brands encourage merchants and third party agents to use payment applications that are validated independently by a PA-QSA company and accepted for listing by the PCI SSC. Validated applications are listed at: List of PA-DSS Validated Payment Applications

[edit] References

  1. ^ In Data Leaks, Culprits Often Are Mom, Pop - WSJ.com
  2. ^ Become a Qualified Security Assessor (QSA)
  3. ^ PCI SSC New Self-Assessment Questionnaire (SAQ) Summary
  4. ^ PCI DSS - PCI Security Standards Council
  5. ^ PCI SECURITY STANDARDS COUNCIL RELEASES VERSION 1.2 OF PCI DATA SECURITY STANDARD
  6. ^ Supporting Documents PCI DSS
  7. ^ Information Supplement: Requirement 11.3 Penetration Testing
  8. ^ Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
  9. ^ Navigating the PCI SSC - Understanding the Intent of the Requirements
  10. ^ "PCI compliance falls short of assuring website security". http://searchsoftwarequality.techtarget.com/news/column/0,294698,sid92_gci1335662,00.html. Retrieved on 2009-15-02. 
  11. ^ "Bruce Schneier reflects on a decade of security trends". http://searchsecurity.techtarget.com.au/contents/21998-Bruce-Schneier-reflects-on-a-decade-of-security-trends. Retrieved on 2009-15-02. 
  12. ^ "Heartland data breach sparks security concerns in payment industry". http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9126608. 
  13. ^ McGlasson, Linda (2008-04-04). "Hannaford Data Breach May Be Top of Iceberg". BankInfo Security. http://www.bankinfosecurity.com/articles.php?art_id=810. Retrieved on 2009-28-01. 
  14. ^ Vijayan, Jaikumar (2009-01-04). "PCI security standard gets ripped at House hearing". Computerworld Security. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9130901&intsrc=news_ts_head. Retrieved on 2009-05-04. 
  15. ^ "Q and A: Head of PCI council sees security standard as solid, despite breaches". http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=Financial&articleId=9078059. Retrieved on 2009-15-02. 
  16. ^ "PCI Cost Analysis Report: A Justified Expense". Solidcore Systems. http://solidcore.com/learn/pci_report.html. 

[edit] Updates on PCI DSS v1.2

[edit] External links

Retrieved from "http://en.wikipedia.org/wiki/PCI_DSS"
Personal tools