PCI DSS

From Wikipedia, the free encyclopedia

PCI DSS stands for Payment Card Industry Data Security Standard. It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, cracking and various other security vulnerabilities and threats. A company processing, storing, or transmitting payment card data must be PCI DSS compliant or risk losing their ability to process credit card payments and being audited and/or fined [1]. Merchants and payment card service providers must validate their compliance periodically. This validation gets conducted by auditors - i.e. persons who are the PCI DSS Qualified Security Assessors (QSAs). Although individuals receive QSA status reports on compliance can only be signed off by an individual QSA on behalf of a PCI council approved consultancy. Smaller companies, processing fewer than about 80,000 transactions a year, are allowed to perform a self-assessment questionnaire.

Contents

[edit] Requirements

The current version of the standard (1.1)[2] specifies 12 requirements for compliance, organized into 6 logically related groups, which are called "control objectives."

The control objectives and their requirements are:

  • Build and Maintain a Secure Network
    • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
    • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect Cardholder Data
    • Requirement 3: Protect stored cardholder data
    • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Maintain a Vulnerability Management Program
    • Requirement 5: Use and regularly update anti-virus software
    • Requirement 6: Develop and maintain secure systems and applications
  • Implement Strong Access Control Measures
    • Requirement 7: Restrict access to cardholder data by business need-to-know
    • Requirement 8: Assign a unique ID to each person with computer access
    • Requirement 9: Restrict physical access to cardholder data
  • Regularly Monitor and Test Networks
    • Requirement 10: Track and monitor all access to network resources and cardholder data
    • Requirement 11: Regularly test security systems and processes
  • Maintain an Information Security Policy
    • Requirement 12: Maintain a policy that addresses information security

[edit] History

PCI DSS originally began as five different programs: Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program. Each company’s intentions were roughly similar: to create an additional level of protection for customers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. The Payment Card Industry Security Standards Council was formed, and on the 15 December 2004, these companies aligned their individual policies and created Payment Card Industry Data Security Standard.

In September 2006, the PCI standard was updated to version 1.1 to provide clarification and minor revisions to version 1.0.

PCI is one of multiple data security standards that have emerged over the past decade; Basel II, Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act of 2002, California Senate Bill 1386.

In October 2007, Visa International, announced new Payment Applications Security Mandates "that are designed to help companies comply with PCI."[3] Mandates must be implemented by 2010 calling for "new merchants that want to be authorized for payment card transactions will have to be using only PABP-validated applications."[4] These new mandates will help companies achieve Payment Application Best Practice (PABP) compliance, an implementation of PCI DSS in vendor software.

[edit] Compliance and wireless LANs

The PCI DSS recognizes wireless LANs as public networks and automatically assumes they are exposed to vulnerabilities and threats. PCI DSS also provides two specific security guidelines to prevent breaches coming in from wireless networks used in any environments containing credit card data. They are:

[edit] External links

[edit] References