PCI DSS
Encyclopedia
The Payment Card Industry Data Security Standard (PCI DSS) is an information security
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....

 standard for organizations that handle cardholder information for the major debit
Debit
Debit and credit are the two aspects of every financial transaction. Their use and implication is the fundamental concept in the double-entry bookkeeping system, in which every debit transaction must have a corresponding credit transaction and vice versa.Debits and credits are a system of notation...

, credit
Credit (finance)
Credit is the trust which allows one party to provide resources to another party where that second party does not reimburse the first party immediately , but instead arranges either to repay or return those resources at a later date. The resources provided may be financial Credit is the trust...

, prepaid, e-purse, ATM
Automated teller machine
An automated teller machine or automatic teller machine, also known as a Cashpoint , cash machine or sometimes a hole in the wall in British English, is a computerised telecommunications device that provides the clients of a financial institution with access to financial transactions in a public...

, and POS
Point of sale
Point of sale or checkout is the location where a transaction occurs...

 cards.

Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud
Credit card fraud
Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. Credit card fraud is also...

 via its exposure. Validation of compliance is done annually — by an external Qualified Security Assessor
Qualified Security Assessor
The Payment Card Industry Qualified Security Assessor designation is conferred by the to those individuals that meet specific information security education requirements, have taken the appropriate training from the PCI Security Standards Council, are employees of an , and will be performing PCI...

 (QSA) for organisations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.

Requirements

The current version of the standard is version 2.0, released on 26 October 2010. PCI DSS version 2.0 must be adopted by all organisations with payment card data by 1 January 2011, and from 1 January 2012 all assessments must be against version 2.0 of the standard. PCI DSS version 2.0 has two new or evolving requirements out of 132 changes. The remaining changes and enhancements fall under the categories of clarification or additional guidelines. The table below summarizes the differing points from version 1.2 of 1 October 2008 and specifies the 12 requirements for compliance, organized into six logically-related groups, which are called “control objectives”.
Control Objectives PCI DSS Requirements
Build and Maintain a Secure Network 1. Install and maintain a firewall
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....

 configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....

s and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security

History

PCI DSS originally began as five different programs: Visa Card Information Security Program, MasterCard
MasterCard
Mastercard Incorporated or MasterCard Worldwide is an American multinational financial services corporation with its headquarters in the MasterCard International Global Headquarters, Purchase, Harrison, New York, United States...

 Site Data Protection, American Express
American Express
American Express Company or AmEx, is an American multinational financial services corporation headquartered in Three World Financial Center, Manhattan, New York City, New York, United States. Founded in 1850, it is one of the 30 components of the Dow Jones Industrial Average. The company is best...

 Data Security Operating Policy, Discover
Discover Card
The Discover Card is a major credit card, issued primarily in the United States. It was originally introduced by Sears in 1985, and was part of Dean Witter, and then Morgan Stanley, until 2007, when Discover Financial Services became an independent company. Novus, a major processing center, used to...

 Information and Compliance, and the JCB
Japan Credit Bureau
Japan Credit Bureau is a credit card company based in Tokyo, Japan. Its English name is .Founded in 1961, JCB established dominance over the Japanese credit card market when it purchased Osaka Credit Bureau in 1968, and its cards are now issued in 20 different countries...

 Data Security Program. Each company’s intentions were roughly similar: to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. The Payment Card Industry Security Standards Council (PCI SSC) was formed, and on 15 December 2004, these companies aligned their individual policies and released the Payment Card Industry Data Security Standard (PCI DSS).

In September 2006, the PCI standard was updated to version 1.1 to provide clarification and minor revisions to version 1.0.

Version 1.2 was released on October 1, 2008. Version 1.1 "sunsetted" on December 31, 2008. v1.2 did not change requirements, only enhanced clarity, improved flexibility, and addressed evolving risks/threats. In August 2009 the PCI SSC announced the move from version 1.2 to version 1.2.1 for the purpose of making minor corrections designed to create more clarity and consistency among the standards and supporting documents.

Updates and supplemental information

The PCI SSC has released several supplemental pieces of information to clarify various requirements. These documents include the following
  • Information Supplement: Requirement 11.3 Penetration Testing
  • Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
  • Navigating the PCI DSS - Understanding the Intent of the Requirements
  • Information Supplement: PCI DSS Wireless Guidelines

Compliance versus validation of compliance

Although PCI DSS requirements must be implemented by all entities that process, store or transmit account data, formal validation of PCI DSS compliance is not mandatory for all entities. Currently both Visa and Mastercard require Merchants and Service Providers to be validated according to the PCI DSS. Issuing and acquiring banks are not required to go through PCI DSS validation.
[In the event of a security breach, any compromised entity which was not PCI DSS compliant at the time of breach will be subject to additional card scheme penalties, such as fines.]

Compliance and wireless LANs

In July 2009, the Payment Card Industry Security Standards Council published wireless guidelines for PCI DSS
PCI DSS
The Payment Card Industry Data Security Standard is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards....

 recommending the use of Wireless Intrusion Prevention System (WIPS) to automate wireless scanning for large organisations. Wireless guidelines clearly define how wireless security applies to PCI DSS 1.2 compliance.

These guidelines apply to the deployment of Wireless LAN
Wireless LAN
A wireless local area network links two or more devices using some wireless distribution method , and usually providing a connection through an access point to the wider internet. This gives users the mobility to move around within a local coverage area and still be connected to the network...

 (WLAN) in cardholder data environments, also known as CDEs. A CDE is defined as a network environment that possesses or transmits credit card data.

Wireless LAN and CDE classification

PCI DSS wireless guidelines classify CDEs into three scenarios depending on how wireless LANs are deployed.
  • No Known WLAN AP inside or outside the CDE: The organisation has not deployed any WLAN AP. In this scenario, 3 minimum scanning requirements (Sections 11.1, 11.4 and 12.9) of the PCI DSS apply.
  • Known WLAN AP outside the CDE: The organisation has deployed WLAN APs outside the CDE. These WLAN APs are segmented from the CDE by a firewall. There are no known WLAN APs inside the CDE. In this scenario, Three minimum scanning requirements (Sections 11.1, 11.4 and 12.9) of the PCI DSS apply.
  • Known WLAN AP inside the CDE: The organisation has deployed WLAN APs inside the CDE. In this scenario, three minimum scanning requirements (Sections 11.1, 11.4 and 12.9), as well as six secure deployment requirements (Sections 2.1.1, 4.1.1, 9.1.3, 10.5.4, 10.6 and 12.3) of the PCI DSS apply.


Key sections of PCI DSS 1.2 that are relevant for wireless security are classified and defined below.

Secure deployment requirements for wireless LANs

These secure deployment requirements apply to only those organisations that have a known WLAN AP inside the CDE. The purpose of these requirements is to deploy WLAN APs with proper safeguards.
  • Section 2.1.1 Change Defaults: Change default passwords, SSIDs on wireless devices. Enable WPA or WPA2 security.
  • Section 4.1.1 802.11i Security: Set up APs in WPA or WPA2 mode with 802.1X authentication and AES encryption. Use of WEP in CDE is not allowed after June 30, 2010.
  • Section 9.1.3 Physical Security: Restrict physical access to known wireless devices.
  • Section 10.5.4 Wireless Logs: Archive wireless access centrally using a WIPS for 1 year.
  • Section 10.6 Log Review: Review wireless access logs daily.
  • Section 12.3 Usage Policies: Develop usage policies to list all wireless devices regularly. Develop usage possible for the use of wireless devices.

Minimum scanning requirements for wireless LANs

These minimum scanning requirements apply to all organisations regardless of the type of wireless LAN deployment in the CDE. The purpose of these requirements is to eliminate any rogue or unauthorized WLAN activity inside the CDE.
  • Section 11.1 Quarterly Wireless Scan: Scan all sites with CDEs whether or not they have known WLAN APs in the CDE. Sampling of sites is not allowed. A WIPS is recommended for large organisations since it is not possible to manually scan or conduct a walk-around wireless security audit of all sites on a quarterly basis
  • Section 11.4 Monitor Alerts: Enable automatic WIPS alerts to instantly notify personnel of rogue devices and unauthorized wireless connections into the CDE.
  • Section 12.9 Eliminate Threats: Prepare an incident response plan to monitor and respond to alerts from the WIPS. Enable automatic containment mechanism on WIPS to block rogues and unauthorized wireless connections.

Wireless Intrusion Prevention System (WIPS) implementations

Wireless Intrusion Prevention Systems are a possible option for compliance with some PCI DSS requirements, and can be implemented in either an internally hosted or externally hosted Software as a Service
Software as a Service
Software as a service , sometimes referred to as "on-demand software," is a software delivery model in which software and its associated data are hosted centrally and are typically accessed by users using a thin client, normally using a web browser over the Internet.SaaS has become a common...

(SaaS) model.

The hosted implementation is offered in an on-demand, subscription-based SaaS model.
Hosted implementations are said to be particularly cost-effective for organisations looking to fulfill only the minimum scanning requirements for PCI DSS compliance.

The network implementation is an on-site deployment of WIPS within a private network. Such a deployment is viable, but the significant costs have been thought to lead some companies to avoid WIPS deployments.

PCI Compliance in Call Centers

While the PCI DSS standards are very explicit about the requirements for the back end storage and access of PII (personally identifiable information
Personally identifiable information
Personally Identifiable Information , as used in information security, is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual...

), the Payment Card Industry Security Standards Council has said very little about the collection of that information on the front end, whether through websites, Interactive Voice Response
Interactive voice response
Interactive voice response is a technology that allows a computer to interact with humans through the use of voice and DTMF keypad inputs....

 systems or call center agents. This is surprising, given the high threat potential for credit card fraud
Credit card fraud
Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. Credit card fraud is also...

 and data compromise that call centers pose.

In a call center, customers read their credit card information, CVV codes, and expiration dates to call center agents. There are few controls which prevent the agent from skimming (credit card fraud) this information with a recording device or a computer or physical note pad. Moreover, almost all call centers deploy some kind of call recording software
Call recording software
Call recording software records telephone conversations over PSTN or VoIP in a digital audio file format. Call recording is distinct from call logging and tracking, which record details about the call but not the conversation; however, software may include both recording and logging...

, which is capturing and storing all of this sensitive consumer data. These recordings are accessible by a host of call center personnel, are often unencrypted, and generally do not fall under the PCI DSS standards outlined here. Home-based telephone agents pose an additional level of challenges, requiring the company to secure the channel from the home-based agent through the call center hub to the retailer applications.

To address some of these concerns, on January 22, 2010 the Payment Card Industry Security Standards Council issued a revised FAQ about call center recordings. The bottom line is that companies can no longer store digital recordings that include CVV information if those recordings can be queried.

Though the council has not yet issued any requirements, technology solutions can completely prevent skimming (credit card fraud) by agents. At the point in the transaction where the agent needs to collect the credit card information, the call can be transferred to an Interactive Voice Response
Interactive voice response
Interactive voice response is a technology that allows a computer to interact with humans through the use of voice and DTMF keypad inputs....

 system. This protects the sensitive information, but can create an awkward customer interaction. Solutions such as Agent-assisted Automation
Agent-assisted automation
Agent-assisted automation is a type of call center technology that automates elements of 1) what the call center agent does with their desktop tools and/or 2) says to customers during the call...

 allow the agent to "collect" the credit card information without ever seeing or hearing it. The agent remains on the phone and customers enter their credit card information directly into the Customer Relationship Management
Customer relationship management
Customer relationship management is a widely implemented strategy for managing a company’s interactions with customers, clients and sales prospects. It involves using technology to organize, automate, and synchronize business processes—principally sales activities, but also those for marketing,...

 software using their phones. The DTMF tones are converted to monotones so the agent cannot recognize them and so that they cannot be recorded. The benefits of increasing the security around the collection of personally identifiable information
Personally identifiable information
Personally Identifiable Information , as used in information security, is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual...

 goes beyond credit card fraud
Credit card fraud
Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. Credit card fraud is also...

 to include helping merchants win chargebacks due to friendly fraud
Friendly Fraud
Friendly fraud, also known as friendly fraud chargeback, is a credit card industry term used to describe a consumer who makes an Internet purchase with his/her own credit card and then issues a chargeback through his/her card provider after receiving the goods or services...

.

Controversies and criticisms

It has been suggested by some IT security professionals that the PCI DSS does little more than provide a minimal baseline for security.

"The fact is you can be PCI-compliant and still be insecure. Look at online application vulnerabilities. They're arguably the fastest growing area of security, and for good reason — exposures in customer-facing applications pose a real danger of a security breach." - Greg Reber

Additionally, Michael Jones, CIO of Michaels' Stores, testifying before a U.S. Congress subcommittee regarding the PCI DSS, says "(...the PCI DSS requirements...) are very expensive to implement, confusing to comply with, and ultimately subjective, both in their interpretation and in their enforcement. It is often stated that there are only twelve “Requirements” for PCI compliance. In fact there are over 220 sub-requirements; some of which can place an incredible burden on a retailer and many of which are subject to interpretation."

In contrast, others have suggested that PCI DSS is a step toward making all businesses pay more attention to IT security, even if minimum standards are not enough to completely eradicate security problems.

"Regulation--SOX, HIPAA, GLBA, the credit-card industry's PCI, the various disclosure laws, the European Data Protection Act, whatever--has been the best stick the industry has found to beat companies over the head with. And it works. Regulation forces companies to take security more seriously, and sells more products and services." - Bruce Schneier
Bruce Schneier
Bruce Schneier is an American cryptographer, computer security specialist, and writer. He is the author of several books on general security topics, computer security and cryptography, and is the founder and chief technology officer of BT Managed Security Solutions, formerly Counterpane Internet...



Further, per PCI Council General Manager Bob Russo's response to the NRF: PCI is a structured "blend...[of] specificity and high-level concepts" that allows "stakeholders the opportunity and flexibility to work with Qualified Security Assessors (QSAs) to determine appropriate security controls within their environment that meet the intent of the PCI standards."

Compliance and compromises

Per Visa Chief Enterprise Risk Officer, Ellen Richey, "...no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach." However, it has nevertheless become a common misconception that companies have had security breaches while also being PCI DSS compliant. Much of this confusion is a result of the
2008 Heartland Payment Processing Systems breach, wherein more than one hundred million card numbers were compromised. Around this same time Hannaford Brothers and TJX Companies were similarly breached as a result of the alleged very same source of coordinated efforts of Albert "Segvec" Gonzalez
Albert Gonzalez
Albert Gonzalez is a computer hacker and computer criminal who is accused of masterminding the combined credit card theft and subsequent reselling of more than 170 million card and ATM numbers from 2005 through 2007—the biggest such fraud in history.Gonzalez and his accomplices used SQL injection...

 and two unnamed Russian hackers.

Assessments examine the compliance of merchants and services providers with the PCI DSS at a specific point in time and frequently utilize a sampling methodology to allow compliance to be demonstrated through representative systems and processes. It is the responsibility of the merchant and service provider to achieve, demonstrate, and maintain their compliance at all times both throughout the annual validation/assessment cycle and across all systems and processes in their entirety. Therefore, these frequently cited breaches and their pointed use as a tool for criticism even to the point of noting that Hannaford Brothers had, in fact, received its PCI DSS compliance validation one day after it had been made aware of a two-month long compromise of its internal systems; fail to appropriately assign blame in their blasting of the standard itself as flawed as opposed to the more truthful breakdown in merchant and service provider compliance with the written standard, albeit in this case having not been identified by the assessor.

Other, more substantial, criticism lies in that compliance validation is required only for Level 1-3 merchants and may be optional for Level 4 depending on the card brand and acquirer. Visa's compliance validation details for merchants state that level 4 merchants compliance validation requirements are set by the acquirer, Visa level 4 merchants are "Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually". At the same time 80% of payment card compromises since 2005 affected Level 4 merchants.

Compliance as a snapshot

The state of being PCI DSS compliant might appear to have some temporal persistence, at least from a merchant point of view. In contrast, the PCI Standards Council General Manager Bob Russo has indicated that liabilities could change depending on the state of a given organisation at the point in time when an actual breach occurs.

Costs

Similar to other industries, a secure state could be more costly to some organisations than accepting and managing the risk of confidentiality breaches. However, many studies have shown that this cost is justifiable.

See also

  • Penetration test
    Penetration test
    A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders...

  • Vulnerability management
    Vulnerability management
    "Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities" This practice generally refers to software vulnerabilities in computing systems.- Vulnerability Management Programs :...

  • Wireless Intrusion Prevention System
  • Wireless LAN
    Wireless LAN
    A wireless local area network links two or more devices using some wireless distribution method , and usually providing a connection through an access point to the wider internet. This gives users the mobility to move around within a local coverage area and still be connected to the network...

  • Wireless security
    Wireless security
    Wireless security is the prevention of unauthorized access or damage to computers using wireless networks.Many laptop computers have wireless cards pre-installed. The ability to enter a network while mobile has great benefits. However, wireless networking is prone to some security issues...


Books on PCI DSS

  • "PCI DSS Handbook"(ISBN 9780470260463)
  • "PCI DSS: A Practical Guide to Implementation" (ISBN 9781849280235)
  • "PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance" (ISBN 9781597494991)

Updates on PCI DSS v1.2


Updates on PCI DSS v2.0


External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK