PCI DSS in a Nutshell

20th February 2018 by Rumen Chikov

The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. The PCI DSS was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express.

The next topics present in a “Nutshell” the document “Requirements and Security Assessment Procedures” v.3.2 (April 2016) which combines the 12 PCI DSS requirements and corresponding testing procedures into a security assessment tool.

Account data

The PCD DSS defines Account data which has 2 elements:

  • • Cardholder data elements (the storage is permitted for these elements) which include:
    • o Primary Account Number (PAN) – must be rendered unreadable
    • o Cardholder Name
    • o Expiration Date
    • o Service Code
  • • Sensitive Authentication elements (the storage is not permitted) which include:
    • o Full track data (magnetic-stripe data or equivalent on a chip)
    • o CAV2/CVC2/CVV2/CID
    • o PINs/PIN blocks

PCI DSS applicability

PCI DSS requirements apply to all organizations involved in payment card processing, e.g., merchants, processors, acquirers, issuers, and service providers or all other organizations that store, process, or transmit Account data. The organizations that outsource their Cardholder Data Environment (CDE) or payment operations to third parties are responsible for ensuring that the account data are protected by the third party per the applicable PCI DSS requirements.

PCI DSS scope

The PCI DSS security requirements apply to all system components included in or connected to the CDE which is comprised of people, processes and technologies that store, process, or transmit Account data.
The PCI DSS scope includes all types of systems located in the primary, backup/recovery sites, development and fail-over systems.

PCI DSS system components

The PCI DSS system components include but are not limited to the following:

  • • Security services systems: authentication servers, facilitate segmentation (e.g., internal firewalls), or may impact the security of (e.g., name resolution or web redirection servers) the CDE.
  • • Virtualization components: virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, hypervisors, etc.
  • • Network components: firewalls, switches, routers, wireless access points, network appliances, security appliances, etc.
  • • Different servers: web, application, database, authentication, mail, proxy, Network Time Protocol (NTP), and Domain Name System (DNS).
  • • Applications: all purchased and custom applications, internal and external (for example, Internet) applications.
  • • Any other component or device located within or connected to the CDE.
    • PCI DSS Assessment process main steps

      The PCI DSS assessment process includes:

      • 1. Confirm the scope of the PCI DSS assessment.
      • 2. Perform the PCI DSS assessment of the environment, following the testing procedures for each requirement.
      • 3. Complete the applicable report for the assessment, including documentation of all compensating controls, according to the applicable PCI guidance and instructions:
      • • Self-Assessment Questionnaire (SAQ) or
      • • Report on Compliance (ROC)
      • 4. Complete the Attestation of Compliance for Service Providers or Merchants, as applicable, in its entirety.
      • 5. Submit the SAQ or ROC, and the Attestation of Compliance, along with any other requested documentation—such as Approved Scanning Vendor (ASV) scan reports—to the acquirer (for merchants) or the payment brand or another requester (for service providers).
      • 6. If required, perform remediation to address requirements that are not in place, and provide an updated report.
        • PCI DSS assessment of the environment

          The heaviest and most important part of the certification because it includes the covering of the PCI DSS scope with ~246 mandatory security requirements(controls), validated by ~408 testing procedures. All requirements are separated into 12 domains and belong to 6 main groups:

          • I. Build and Maintain a Secure Network and Systems
          • 1. Install and maintain a firewall configuration to protect cardholder data.
          • 2. Do not use vendor-supplied defaults for system passwords and other security parameters.
          • II. Protect Cardholder Data
          • 3. Protect stored cardholder data.
          • 4. Encrypt transmission of cardholder data across open, public networks.
          • III. Maintain a Vulnerability Management Program
          • 5. Protect all systems against malware and regularly update anti-virus software or programs
          • 6. Develop and maintain secure systems and applications
          • IV. Implement Strong Access Control Measures
          • 7. Restrict access to cardholder data by business need to know.
          • 8. Identify and authenticate access to system components.
          • 9. Restrict physical access to cardholder data
          • V. Regularly Monitor and Test Networks
          • 10. Track and monitor all access to network resources and cardholder data
          • 11. Regularly test security systems and processes
          • VI. Maintain an Information Security Policy
          • 12. Maintain a policy that addresses information security for all personnel