adam's notes

Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry (PCI) includes financial institutions and organizations who process or are involved in the processing of payment cards.

PCI Security Standards Council (PCI SSC) is a coalition of PCI stakeholders who develop security standards to secure payment card accounts and transactions.

Payment Card Industry Data Security Standard (PCI DSS) is a global data protection standard established and maintained by a consortium of payment card companies.

  • governs processing of credit card transactions and other bank card payments
  • sets out protections that must be provided if cardholder data is stored
  • organizations that directly processes credit card transactions must adopt the PCI DSS standard to safeguard the cardholder data environment (CDE)
  • identifies controls designed to prevent fraud and protect credit and debit card data
  • Document found here: https://www.pcisecuritystandards.org/document_library/
  • PCI Attestation of Compliance (AoC) is a document designed to demonstrate an organization’s compliance with PCI DSS requirements
    • should be completed by:
      • a Qualified Security Assessor (QSA)
        • is certified by PCI SSC
      • or the merchant (such as a bank) responsible for processing credit and debit card transactions
  • Organization being audited is responsible for the costs of the audit

Payment Card Information Components

  • card number
  • expiry date
  • three-digit card verification value (CVV)
  • PIN
    • should never be transmitted or handled by merchant

Compliance Requirements

  1. Install and maintain network security controls
    • e.g., firewall
  2. Apply secure configurations to all system components
    • don’t use vendor supplied credentials
  3. Protect stored account data
  4. Protect cardholder data with strong cryptography during transmission over open, public networks
  5. Protect all systems and networks from malicious software
  6. Develop and maintain secure systems and software
  7. Restrict access to system components and cardholder data based on business requirements
  8. Identify users and authenticate access to system components==
  9. Restrict physical access to cardholder data
  10. Log and monitor all access to system components and cardholder data
  11. Test security of systems and networks regularly
  12. Support information security with organizational policies and programs

Implementation

  • Follows four main phases:
    • Assess
      • first step is to assess the current state of PCI DSS within the organization
    • Plan
      • develop a plan to implement PCI DSS requirements
      • plan should include timelines, milestones, and the people responsible for each task
    • Execute
      • put the appropriate security measures in place and following the PCI DSS requirements
    • Maintain
      • maintain PCI DSS compliance on an ongoing basis
        • regularly reviewing and testing systems
        • following an approved change management process
        • and documenting PCI DSS compliance status

Graph View

Backlinks