PCI DSS is a Payment Card Industry Data Security Standard developed by Payment Card Industry Security Standards Council (PCI SSC) and established by international payment systems Visa, MasterCard, American Express, JCB and Discover. The standard is a set of 12 detailed requirements for ensuring the security of cardholder data that are being transmitted, stored and processed by information infrastructures. Taking appropriate measures to ensure compliance with the requirements of the standard implies an integrated approach to the information security of payment card data.
The twelve requirements for building and maintaining a secure network and systems are below:
- Installing and maintaining a firewall configuration to protect cardholder data. The purpose of a firewall is to scan all network traffic, block untrusted networks from accessing the system.
- Changing vendor-supplied defaults for system passwords and other security parameters. These passwords are easily discovered through public information and can be used by malicious individuals to gain unauthorized access to systems.
- Protecting stored cardholder data. Encryption, hashing, masking and truncation are methods used to protect cardholder data.
- Encrypting transmission of cardholder data over open, public networks. Strong encryption, including using only trusted keys and certifications reduces the risk of being targeted by malicious individuals through hacking.
- Protecting all systems against malware and performing regular updates of antivirus software. Malware can enter a network in numerous ways, including Internet use, employee email, mobile devices or storage devices. Up-to-date anti-virus software or supplemental anti-malware software will reduce the risk of exploitation via malware.
- Developing and maintaining secure systems and applications. Vulnerabilities in systems and applications allow unscrupulous individuals to gain privileged access. Security patches should be immediately installed to fix the vulnerability and prevent exploitation and compromise of cardholder data.
- Restricting access to cardholder data to only authorized personnel. Systems and processes must be used to restrict access to cardholder data on a “need to know” basis.
- Identifying and authenticating access to system components. Each person with access to system components should be assigned a unique identification (ID) that allows the accountability of access to critical data systems.
- Restricting physical access to cardholder data. Physical access to cardholder data or systems that hold this data must be secure to prevent unauthorized access or removal of data.
- Tracking and monitoring all access to cardholder data and network resources. Logging mechanisms should be in place to track user activities that are critical to prevent, detect or minimize the impact of data compromises.
- Testing security systems and processes regularly. New vulnerabilities are continuously discovered. Systems, processes and software need to be tested frequently to uncover vulnerabilities that could be used by malicious individuals.
- Maintaining an information security policy for all personnel. A strong security policy includes making personnel understand the sensitivity of data and their responsibility to protect it.
Requirements apply to all companies working with international payment systems Visa and MasterCard. Every company is assigned a certain compliance level depending on the number of transactions being processed, with a corresponding set of requirements they must fulfill. Annual company audits and quarterly network scans are part of these requirements.
The standard combines a number of programs and requirements of international payment systems for the information protection:
- MasterCard – Site Data Protection (SDP)
- Visa in the USA – Cardholder Information Security (CISP)
- Visa in Europe – Account Information Security (AIS)
PCI DSS was introduced by the international payment system Visa on September 2006 on the territory of CEMEA (Central Europe, Middle East and Africa) as mandatory, and as a result and its effect extends on Russia. Therefore, service providers (processing centers, payment gateways, Internet providers) working directly with VisaNet must undergo an audit procedure for compliance with the requirements of the standard.
Different international payment systems have different requirements for the PCI DSS certification process. There are levels of certification for merchant and service enterprises.
This is a list of methods to verify compliance with the requirements of the PCI DSS standard:
- external Qualified Security Assessor (QSA) audit performed by a PCI QSA company in the organization’s facility which is being audited
- filling out a Self Assessment Questionnaire (SAQ)
- automated ASV (Approved Scanning Vendors) scanning of network perimeter vulnerabilities.
The compliance verification method or a combination of methods is chosen regarding the certification level of merchant or service enterprise.