Payment Card Industry Data Security Standard (PCI DSS)

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) was made to secure credit cardholder information, and it is presently on version 3.2, released in April 2016. The PCI DSS version 3.2 comprises twelve specifications for security management, procedures, policies, software design, network framework, and other decisive securing measures. Altogether, the PCI DSS has six objective, twelve prerequisites, and 200 detailed sub-requirements. The PCI DSS requirements are grouped into 6 major objectives and 12 requirements, which are as follows:

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut abore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip

1. Build and maintain a secure network: Organizations must build and maintain a secure network by fulfilling two requirements:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.

2. Protect cardholder data: Organizations needs to protect cardholder data by meeting the following two requirements:

  1. Protect stored cardholder data.
  2. Encrypt transmission of cardholder data across open, public networks.

3. Maintain a vulnerability management program: This objective can be fulfilled by meeting the following two requirements:

  1. Protect all systems against malware and regularly update anti-virus software or programs.
  2. Develop and maintain secure systems and applications.

4. Implement strong access control measures: Organizations needs to implement strong access control measures. There are three requirements for this objective:

  1. Restrict access to cardholder data by business need-to-know.
  2. Identify and authenticate access to system components.
  3. Restrict physical access to cardholder data.

5. Regularly monitor and test networks: Organizations must regularly monitor and test networks. This objective consists of two requirements:

  1. Track and monitor all access to network resources and cardholder data.
  2. Regularly test security systems and processes.

6. Maintain an information security policy: Organizations needs to maintain an information security policy. There’s just one requirement for this task:

  1. Maintain a policy that addresses information security for all personnel.

Who needs to be PCI Compliant?

Any organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data needs to be PCI compliant. This includes the financial institution, merchants, and service providers in all payment channels.

Financial institutions include banks, insurance companies, lending agencies, and brokerages. While merchants include restaurants, retailers (brick-and-mortar, mail/telephone order, e-commerce), transportation operators, and virtually any point-of-sale that processes credit cards across all industries. And examples of service providers include transaction processors, payment gateways, customer service entities (call centers), managed service providers, web hosting providers, data centers, and other independent sales organizations.

What are the PCI compliance 'levels'?

All merchants are categorized into one of the four merchant levels based on Visa transaction volume over a year time-frame. Merchant levels as defined by Visa are as follows:

  1. For Level 1 of PCI compliance, any merchants — regardless of acceptance channel — processing over 6M Visa transactions per year.
  2. For Level 2 of PCI compliance, any merchants — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.
  3. For Level 3 of PCI compliance, any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
  4. For Level 4 of PCI compliance, any merchant processing less than 20,000 Visa e-commerce transactions per year, and other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.

Compliance Validation Tools And Requirements

The organization should adhere to the PCI compliance requirements with standard and best practices in place. PCI has a number of available tools to help validate compliance. Following is some compliance tools and the PCI requirements fulfilled by them:

Approved Scanning Vendor (ASV) network vulnerability scans

This tool has been specifically designed to help organizations meet one particular requirement of PCI DSS (11.2.2):

“Perform quarterly external vulnerability scans via an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).”

The scanning vendor’s ASV scan solution is proven and certified by PCI SSC before an ASV is added to PCI SSC’s List of Approved Scanning Vendors. The scope of the external vulnerability scan must comprise all externally accessible system components that are part of the cardholder data environment (CDE). The scan customer is capable of characterizing the scope of the external vulnerability scan. In the event that an account data compromise occurs through an externally facing system component excluded in the scan, the scan customer is responsible.

ASVs approve any IP addresses found during the scan with the customer to determine if they ought to should be included within the scope of the assessment. ASV scan reports consist of three parts:

  1. An attestation of compliance—a declaration of global compliance
  2. An executive summary—provides component compliance summary information
  3. For Level 3 of PCI compliance, any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
Organizations can acquire a passing result on their network vulnerability scan when the scan report does not contain; high- or medium- severity vulnerabilities and automatic failure (as defined by the PCICo). An organization must perform four consecutive passing ASV scans within a year to be considered as compliant.

Self-assessment questionnaire (SAQ)

The SAQ permits organizations to assess their compliance with PCI DSS. This is a useful tool to determine, document, and modify alignment with the standard. There are many SAQ versions depending on the merchant types. There are five kinds of merchant types for PCI: A, B, C-VT, C, and D. Each SAQ covers only the PCI sections and requirements appropriate to the specific merchant type.
Each SAQ version has two parts:

  1. Questions correlating to the PCI DSS requirements
  2. Attestation of Compliance (AOC) or self-certification that a company is eligible to complete that specific SAQ

How Nemasis helps to achieve PCI DSS?

Nemasis helps you to achieve PCI Data Security Standard (DSS) compliance by performing an independent, quarterly vulnerability scan and produce report on compliance (ROC) audit document for your records to fulfill all the PCI DSS Requirements.

Nemasis-VA an assessment solution used for scanning vulnerabilities, assessments, and helps to create security posture of your network. It helps organizations to identify and fix vulnerabilities, misconfigurations, and disclosure from the endpoint to the cloud.

With regards to PCI DSS version 3.2, Nemasis helps covered entities to:

  1. Perform quarterly both internal and external vulnerability scanning of their environment.
  2. Implement safe configuration policies-based on industry standards like CIS.
  3. Identify and prioritize vulnerabilities based on threat disclosure and asset criticality.
  4. Audit system access, validation, and other security controls to identify policy breaches.
  5. Automatically identify and scan new devices as they enter the network.
  6. Create, assign, track, and check remediation tasks.
  7. Demonstrate compliance and disclose progress with reports, analytics, and live dashboards.

Copyright 2024 MicroWorld Technologies Inc. - Nemasis VMS