The Payment Card Industry Data Security Standard (PCI DSS) was made to secure credit cardholder information, and it is presently on version 3.2, released in April 2016. The PCI DSS version 3.2 comprises twelve specifications for security management, procedures, policies, software design, network framework, and other decisive securing measures. Altogether, the PCI DSS has six objective, twelve prerequisites, and 200 detailed sub-requirements. The PCI DSS requirements are grouped into 6 major objectives and 12 requirements, which are as follows:
1. Build and maintain a secure network: Organizations must build and maintain a secure network by fulfilling two requirements:
Any organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data needs to be PCI compliant. This includes the financial institution, merchants, and service providers in all payment channels.
Financial institutions include banks, insurance companies, lending agencies, and brokerages. While merchants include restaurants, retailers (brick-and-mortar, mail/telephone order, e-commerce), transportation operators, and virtually any point-of-sale that processes credit cards across all industries. And examples of service providers include transaction processors, payment gateways, customer service entities (call centers), managed service providers, web hosting providers, data centers, and other independent sales organizations.
All merchants are categorized into one of the four merchant levels based on Visa transaction volume over a year time-frame. Merchant levels as defined by Visa are as follows:
The organization should adhere to the PCI compliance requirements with standard and best practices in place. PCI has a number of available tools to help validate compliance. Following is some compliance tools and the PCI requirements fulfilled by them:
This tool has been specifically designed to help organizations meet one particular requirement of PCI DSS (11.2.2):
“Perform quarterly external vulnerability scans via an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).”
The scanning vendor’s ASV scan solution is proven and certified by PCI SSC before an ASV is added to PCI SSC’s List of Approved Scanning Vendors. The scope of the external vulnerability scan must comprise all externally accessible system components that are part of the cardholder data environment (CDE). The scan customer is capable of characterizing the scope of the external vulnerability scan. In the event that an account data compromise occurs through an externally facing system component excluded in the scan, the scan customer is responsible.
ASVs approve any IP addresses found during the scan with the customer to determine if they ought to should be included within the scope of the assessment. ASV scan reports consist of three parts:
The SAQ permits organizations to assess their compliance with PCI DSS. This is a useful tool to determine, document, and modify alignment with the standard. There are many SAQ versions depending on the merchant types. There are five kinds of merchant types for PCI: A, B, C-VT, C, and D. Each SAQ covers only the PCI sections and requirements appropriate to the specific merchant type.
Each SAQ version has two parts:
Nemasis helps you to achieve PCI Data Security Standard (DSS) compliance by performing an independent, quarterly vulnerability scan and produce report on compliance (ROC) audit document for your records to fulfill all the PCI DSS Requirements.
Nemasis-VA an assessment solution used for scanning vulnerabilities, assessments, and helps to create security posture of your network. It helps organizations to identify and fix vulnerabilities, misconfigurations, and disclosure from the endpoint to the cloud.
With regards to PCI DSS version 3.2, Nemasis helps covered entities to: