PCI DSS

How to carry out Compliance with the Payment Card Industry Data Security Standard (PCI DSS)

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) was made to secure credit cardholder information, and it is presently on version 3.2, released in April 2016. The PCI DSS version 3.2 comprises twelve specifications for security management, procedures, policies, software design, network framework, and other decisive securing measures. Altogether, the PCI DSS has six objective, twelve prerequisites, and 200 detailed sub-requirements. The PCI DSS requirements are grouped into 6 major objectives and 12 requirements, which are as follows:
1. Build and maintain a secure network: Organizations must build and maintain a secure network by fulfilling two requirements:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
2. Protect cardholder data: Organizations needs to protect cardholder data by meeting the following two requirements:
  1. Protect stored cardholder data.
  2. Encrypt transmission of cardholder data across open, public networks.
3. Maintain a vulnerability management program: This objective can be fulfilled by meeting the following two requirements:
  1. Protect all systems against malware and regularly update anti-virus software or programs.
  2. Develop and maintain secure systems and applications.
4. Implement strong access control measures: Organizations needs to implement strong access control measures. There are three requirements for this objective:
  1. Restrict access to cardholder data by business need-to-know.
  2. Identify and authenticate access to system components.
  3. Restrict physical access to cardholder data.
5. Regularly monitor and test networks: Organizations must regularly monitor and test networks. This objective consists of two requirements:
  1. Track and monitor all access to network resources and cardholder data.
  2. Regularly test security systems and processes.
6. Maintain an information security policy: Organizations needs to maintain an information security policy. There’s just one requirement for this task:
  1. Maintain a policy that addresses information security for all personnel.

Who needs to be PCI Compliant?

Any organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data needs to be PCI compliant. This includes the financial institution, merchants, and service providers in all payment channels.

Financial institutions include banks, insurance companies, lending agencies, and brokerages. While merchants include restaurants, retailers (brick-and-mortar, mail/telephone order, e-commerce), transportation operators, and virtually any point-of-sale that processes credit cards across all industries. And examples of service providers include transaction processors, payment gateways, customer service entities (call centers), managed service providers, web hosting providers, data centers, and other independent sales organizations.


What are the PCI compliance ‘levels’?

All merchants are categorized into one of the four merchant levels based on Visa transaction volume over a year time-frame. Merchant levels as defined by Visa are as follows:


COMPLIANCE VALIDATION TOOLS AND REQUIREMENTS

The organization should adhere to the PCI compliance requirements with standard and best practices in place. PCI has a number of available tools to help validate compliance. Following is some compliance tools and the PCI requirements fulfilled by them:


Approved Scanning Vendor (ASV) network vulnerability scans

This tool has been specifically designed to help organizations meet one particular requirement of PCI DSS (11.2.2):

“Perform quarterly external vulnerability scans via an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).”

The scanning vendor’s ASV scan solution is proven and certified by PCI SSC before an ASV is added to PCI SSC’s List of Approved Scanning Vendors. The scope of the external vulnerability scan must comprise all externally accessible system components that are part of the cardholder data environment (CDE). The scan customer is capable of characterizing the scope of the external vulnerability scan. In the event that an account data compromise occurs through an externally facing system component excluded in the scan, the scan customer is responsible.

ASVs approve any IP addresses found during the scan with the customer to determine if they ought to should be included within the scope of the assessment. ASV scan reports consist of three parts:

  1. An attestation of compliance—a declaration of global compliance
  2. An executive summary—provides component compliance summary information
  3. For Level 3 of PCI compliance, any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
Organizations can acquire a passing result on their network vulnerability scan when the scan report does not contain; high- or medium- severity vulnerabilities and automatic failure (as defined by the PCICo). An organization must perform four consecutive passing ASV scans within a year to be considered as compliant.



Self-assessment questionnaire (SAQ)

The SAQ permits organizations to assess their compliance with PCI DSS. This is a useful tool to determine, document, and modify alignment with the standard. There are many SAQ versions depending on the merchant types. There are five kinds of merchant types for PCI: A, B, C-VT, C, and D. Each SAQ covers only the PCI sections and requirements appropriate to the specific merchant type.
Each SAQ version has two parts:


How Nemasis help to achieve PCI DSS

Nemasis helps you to achieve PCI Data Security Standard (DSS) compliance by performing an independent, quarterly vulnerability scan and produce report on compliance (ROC) audit document for your records to fulfill all the PCI DSS Requirements.

Nemasis-VA an assessment solution used for scanning vulnerabilities, assessments, and helps to create security posture of your network. It helps organizations to identify and fix vulnerabilities, misconfigurations, and disclosure from the endpoint to the cloud.

With regards to PCI DSS version 3.2, Nemasis helps covered entities to:


Hello there!
How can I help you today?
Live Chat