Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that any company that processes, transmits, or stores credit card information, maintains a secure environment.
Who oversees it?
The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 in order to oversee the evolution of the PCI security standards and improve account transaction security.
Who does it apply to?
Any organization regardless of size that processes, transmits, or stores credit card or debit card information. If an organization accepts a credit/debit card for payment, regardless of how the transaction is processed, the organization is required to be PCI compliant.
How does it impact IT professionals?
IT professionals may be called upon to assist their client’s organizations within securing their networks and ensure that they meet the minimum requirements for keeping cardholder data secure. In many cases, this will also include providing an intrusion detection and threat report issued by a PCI SSC Approved Scanning Vendor (ASV).
What is Cardholder Data?
Any personally identifiable information that makes it possible to link a card with a legal entity. Such information includes, but is not limited to: account numbers, expiration dates, names, birthdates, social security numbers, and addresses.
What are the PCI Compliance Levels and how are they determined?
All merchants fall into one of four merchant levels based on aggregate Visa transaction volume over -month period. In cases where a parent corporation has more than one DBA, the aggregate volume of the transactions stored, processed, or transmitted by the parent entity, must be considered.
Any merchant that has suffered a data breach that resulted in account data compromise may be escalated to a higher validation level.
What do your clients need to be PCI DSS compliant?
Establish and Maintain a Secure Network
- Install and maintain a firewall and its configuration to protect cardholder data in transit and at rest
- Ensure that systems, hardware, and software do not use default passwords or other security parameters
Protect Cardholder Data
- Protect cardholder data at rest on storage devices
- Ensure encryption of transmitted cardholder data across unsecured networks
Establish and Maintain a Vulnerability Management Policy
- Deploy and maintain approved anti-virus software
- Develop and maintain a policy for securing systems and applications
Deploy and Maintain Strong Access Controls
- Restrict data access by business need-to-know
- Ensure every user has a unique login/access ID
- Prevent unauthorized access to physical cardholder data
Establish and Maintain Monitoring and Testing Procedures
- Log and monitor all access to cardholder data and other network resources
- Perform a regular audit of security policies, systems, and processes
- Develop and maintain an Information Security Policy
PCI DSS 3.0
PCI DSS version 3.0 became effective on January 1st, 2013. The vast majority of the changes between v2.0 and v3.0 are simply clarifications of previous requirements. However, there are a number of substantive changes which are outlined here:
- Clarified what the network diagram must include and added a new requirement for a diagram that shows the flow of cardholder data.
- Added a requirement to maintain an equipment inventory for tracking configuration standards.
- Added a requirement to evaluate malware threats against devices not normally targeted by malware.
- Added a requirement to ensure that anti-virus software is active and enabled and cannot be disabled or removed by users.
- Added a requirement to alter coding practices to guard against broken authentication and session management.
- Refined password requirements to unify complexity and strength requirements.
- Added a requirement for remote service providers to use unique credentials.
- Added a requirement that ties multiple authentication factors to unique users and restricts those factors to specific users.
- Added a requirement to secure sensitive areas to onsite personnel.
- Added a requirement to protect devices that interact directly with a physical card.
- Enhanced requirements to monitor and log authentication actions, user modifications, and stopping or pausing of audit log monitoring.
- Enhanced requirement for an inventory of authorized wireless access devices and a need for regular scanning for unauthorized devices.
- Added requirements for standardized penetration testing.
- Added requirement for a process to respond to change management system alerts.
- Added a requirement to assess network annually or after significant changes.
- Added a requirement to maintain an inventory of requirements provided by a service provider versus the covered entity.
- Added a requirement for service providers to provide a written agreement/acknowledgement of their responsibilities.
What are the dangers of not being PCI compliant?
- $5,000 to $100,000 fine PER MONTH for PCI compliance violations
- Termination of credit/debit card processing relationships
- Increased transaction fees
- Increased compliance validation scrutiny
For more information about the importance of PCI compliance and the possible penalties for being non-compliant, see: https://www.pcisecuritystandards.org/security_standards/why_comply.php
Event and Audit Log Retention Requirements
In order to maintain PCI DSS compliance, event and audit logs must be retained for a period of one year.
PCI Vulnerability Scanning Requirements
- External Vulnerability Scan – public facing IP Addresses: This requires an ASV certification.
- Internal Vulnerability Scan: Educated security staff or service providers can deliver this requirement.
- Cardholder PAN Scan: Any staff or employee can deliver this discovery of payment data.
If A is needed, utilize the following link for approved vendors who can provide your clients with an ASV certification: https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php
PCI DSS Compliance Services at a Glance
- In order to remain in compliance with PCI DSS rules, clients must not only deploy and maintain secure networks, but must also prove that they have had their networks evaluated by an ASV every 90 days.
Failure to adhere to the PCI DSS rules can result in fines of up to $100,000 per month that the violation goes unresolved. MSPs can assist their clients by providing secure networks, properly configured firewalls, and by developing and deploying a comprehensive Information Security Policy.