Payment Card Industry Data Security Standards and its Requirements

While more and more payments happening on digital platforms the number of breaches were increasing, due to this the 5 payment brand entities like Visa, Master card and others came together and decided to build this standard called PCI DSS instead of holding different programs on their own making it easier for banks and all entities involved.

This blog talk and shares high level information related to PCI DSS, I will be posting another blog with my experience gained while preparing for this certification

What is PCI DSS?

“PCI-DSS” Payment Card Industry Data Security Standard was developed to encourage and enhance cardholder data security and to facilitate the broad adoption of consistent data security measures globally.

PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers.

While more and more payments happening on digital platforms the number of breaches were increasing, due to this the 5 payment brand entities like Visa, Master card came together and decided to build this standard instead of holding different programs on their own and difficult for banks to maintain

Who Does PCI DSS Apply To?

PCI DSS applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

PCI Council vs Payment Brands

PCI Council

1. Responsible for issuing new standards like PCI DSS
2. Manages qualification and accreditation
3. Create awareness
4. Promotes participation and feedback to enhance payment security

Payment Brands

1. Tracking and enforcement of PCI DSS
2. Issues penalties, fees, deadlines
3. Definition of Merchants and Service Providers
4. Responsible for Forensics and Account Compromise Investigations

PCI DSS Goals & Requirements

High-level overview of the 12 PCI DSS requirements.

The PCI Security Standards Council touches the lives of hundreds of millions of people worldwide. A global organization, it maintains, evolves and promotes Payment Card Industry standards for the safety of cardholder data across the globe.

PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit cardholder data and/or sensitive authentication data.

The primary account number is the defining factor for cardholder data. If cardholder name, service code, and or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the cardholder data environment (CDE), they must be protected in
accordance with applicable PCI DSS requirements.

PCI DSS requirements apply to organizations where account data (cardholder data and/or sensitive authentication data) is stored, processed or transmitted.

Some PCI DSS requirements may also be applicable to organizations that have outsourced their payment operations or management of their CDE1.

Additionally, organizations that outsource their CDE or payment operations to third parties are responsible for ensuring that the account data is protected by the third party per the applicable PCI DSS requirements.

Best Practices for Implementing PCI DSS into Business-as-Usual Processes – https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1626507987753 – page#13

PCI DSS Assessment Process

The PCI DSS assessment process includes completion of the following steps:

1. Confirm the scope of the PCI DSS assessment.
2. Perform the PCI DSS assessment of the environment, following the testing procedures for each requirement.
3. Complete the applicable report for the assessment (i.e., Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC)),
   including documentation of all compensating controls, according to the applicable PCI guidance and instructions.
4. Complete the Attestation of Compliance for Service Providers or Merchants, as applicable, in its entirety. Attestations of Compliance are
   available on the PCI SSC website.
5. Submit the SAQ or ROC, and the Attestation of Compliance, along with any other requested documentation—such as ASV scan reports—
   to the acquirer (for merchants) or to the payment brand or other requester (for service providers).
6. If required, perform remediation to address requirements that are not in place, and provide an updated report.

Detailed PCI DSS Requirements and Security Assessment Procedures

Build and Maintain a Secure Network and Systems

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Firewalls are devices that control computer traffic allowed between an entity’s networks (internal) and untrusted networks (external), as well as traffic into and out of more sensitive areas within an entity’s internal trusted networks. The cardholder data environment is an example of a more
sensitive area within an entity’s trusted network.

A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria.

All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employee Internet access through desktop browsers, employee e-mail access, dedicated connections such as business-to-business connections, via wireless networks, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Malicious individuals (external and internal to an entity) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known by hacker communities and are easily determined via public information.

Protect Cardholder data

Requirement 3: Protect stored cardholder data

Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and
unusable to that person. Other effective methods of protecting stored data should also be considered as potential risk mitigation opportunities.

For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending unprotected PANs using end-user messaging technologies, such as e-mail and instant messaging.

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments.

Maintain a Vulnerability Management Program

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

Malicious software, commonly referred to as “malware”—including viruses, worms, and Trojans—enters the network during many business approved activities including employee e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats. Additional anti-malware solutions may be considered as a supplement to the anti-virus software; however, such additional solutions do not replace the need for anti-virus software to be in place.

Requirement 6: Develop and maintain secure systems and applications

Unscrupulous individuals use security vulnerabilities to gain privileged access to systems.

Many of these vulnerabilities are fixed by vendor provided security patches, which must be installed by the entities that manage the systems.

All systems must have all appropriate software patches to protect against the exploitation and compromise of cardholder data by malicious individuals and malicious software.

Note: Appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For in-house developed applications, numerous vulnerabilities can be avoided by using standard
system development processes and secure coding techniques.

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need to know

To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities.
“Need to know” is when access rights are granted to only the least amount of data and privileges needed to perform a job

Requirement 8: Identify and authenticate access to system components

Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for their actions.

When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users and processes.
The effectiveness of a password is largely determined by the design and implementation of the authentication system—particularly, how frequently password attempts can be made by an attacker, and the security methods to protect user passwords at the point of entry, during
transmission, and while in storage.

Requirement 9: Restrict physical access to cardholder data

Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. For the purposes of Requirement 9, “onsite personnel” refers to full-time
and part-time employees, temporary employees, contractors and consultants who are physically present on the entity’s premises. A “visitor” refers to a vendor, guest of any onsite personnel, service workers, or anyone who needs to enter the facility for a short duration, usually not more than one day. “Media” refers to all paper and electronic media containing cardholder data.

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.

Requirement 11: Regularly test security systems and processes.

Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security for all personnel.

A strong security policy sets the security tone for the whole entity and informs personnel what is expected of them. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it. For the purposes of Requirement 12, “personnel” refers to full-time and part-time employees, temporary employees, contractors and consultants who are “resident” on the entity’s site or otherwise have access to the cardholder data environment.

The above mentioned 12 requirements contains in detailed PCI DSS Requirements, Testing procedures, and guidance on how to achieve the PCI DSS Standards (please read them on the PCI website and create specific controls accordingly)

If you are working on this for the first time, my suggestion is to reach out to your internal Risk functions or specific PCI teams to arrange a formal training which might give you an overview on the actual requirements and controls you must put in place especially, if you are in charge and will be part of the certification audit.

These dedicated teams shall have strong knowledge on these standards and can help you provide the GAP Analysis and areas you must focus and strengthen to complete it successfully.

References:

• https://www.pcisecuritystandards.org/
• https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
• https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1626572326854

Have you gone through the PCI DSS Standard and what difficulty did you face to achieve, please leave your comments below (please do not leave any sensitive information related to your company)