Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard that describes how to protect credit card information. If you accept Visa, MasterCard, or American Express, you are required to follow PCI DSS. These card companies formed the Payment Card Industry Security Standards Council (PCI SSC) to create the standard. The Payment Card Industry (PCI) Data Security Standard (DSS) was released in 2006. The standard applies to everyone who stores, processes, or exchanges cardholder information.

The standard requires an organization to have specific PCI DSS security policies and controls in place. The organization must also have these controls validated. If you are a small merchant, you can perform a self-assessment questionnaire. Large-volume merchants must obtain their validation through a Qualified Security Assessor (QSA). Failing to validate, or failing the validation, can result in fines from the credit card companies. In extreme cases of noncompliance, you may be prevented from handling credit cards. Taking credit cards away could put you out of business.

The PCI DSS is an information security framework, so it has lots of technical requirements. Two, in particular, have been a challenge for organizations to implement: network segmentation and encryption. PCI strongly encourages isolating credit card systems at a network layer. For many open network designs and shared systems, this is a challenge. Without network segmentation, the standard talks about the need that all systems on that segment to be brought up to PCI DSS level standards. This could also be expensive. The second major challenge is encrypting data at rest. As discussed in previous chapters, encrypting data in transit is common over the Internet and public networks. Encrypting data at rest, however, can be technically challenging and at times not feasible.

There are six control objectives within the PCI DSS standard. To be compliant, you need to include these control objectives in your security policies and controls:

  • Build and maintain a secure network—Refers to having specific firewall, system password, and other security network layer controls.

  • Protect cardholder data—Specifies how cardholder data are stored and protected. Also sets rules on the encryption of the data.

  • Maintain a vulnerability management program—Specifies how to maintain secure systems and applications, including the required use of antivirus software.

  • Implement strong access control measures—Refers to restricting access to cardholder data on a need-to-know basis. It requires physical controls are in place and requires individuals to have unique IDs when accessing cardholder data.

  • Regularly monitor and test networks—Requires access to cardholder data be monitored. Also requires periodic penetration testing of the network.

  • Maintain an information security policy—Requires that security policies reflect the PCI DSS requirements. Requires these policies be kept current and an awareness program be implemented.

PCI DSS is unlike most regulatory laws in one way. It is very specific with regard to requirements and expectations. The requirements generally follow security best practices and use the 12 high-level requirements, aligned across six goals, as shown in Table 2-5. Each requirement listed in the table consists of various subrequirements. Also included are procedures for testing. These must be documented as either being in place or not in place.

TABLE 2-5 Goals and high-level requirements for PCI DSS.

GOALSHIGH-LEVEL REQUIREMENTS
Build and maintain a secure network.
  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect cardholder data.
  1. Protect stored cardholder data.
  2. Encrypt transmission of cardholder data across open, public networks.
Maintain a vulnerability management program.
  1. Use and regularly update antivirus software or programs.
  2. Develop and maintain secure systems and applications.
Implement strong access control measures.
  1. Restrict access to cardholder data on a need-to-know basis.
  2. Assign a unique ID to each person with computer access.
  3. Restrict physical access to cardholder data.
Regularly monitor and test networks.
  1. Track and monitor all access to network resources and cardholder data.
  2. Regularly test security systems and processes.
Maintain an information security policy.
  1. Maintain a policy that addresses information security for employees and contractors.

Consider requirement 8, for example. It requires a unique ID to be assigned to each person with computer access. Within the security standard, this requirement consists of 21 subrequirements. Many of them are very specific:

  • Incorporate two-factor authentication for remote access.

  • Set first-time passwords to a unique value and change immediately after first use.

  • Remove or disable inactive accounts at least every 90 days.

  • Require a minimum password length of at least seven characters.

Since PCI DSS started, the Security Council periodically releases supplemental documents. These documents can be found on the Security Council website at https://www.pcisecuritystandards.org/minisite/en/pci-dss-v3-0.php.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.17.154.139