PCI DSS

PCI DSS stands for Payment Card Industry Data Security Standard. It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats. A company processing, storing, or transmitting payment card data must be PCI DSS compliant. Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer risk losing their ability to process credit card payments and being audited and/or fined [ [http://online.wsj.com/article/SB119042666704635941.html?mod=sphere_ts In Data Leaks, Culprits Often Are Mom, Pop - WSJ.com ] ] . All in-scope companies must validate their compliance annually This validation can be conducted by auditors - i.e. persons who are PCI DSS Qualified Security Assessors (QSAs), however smaller companies have the option to use a self-certification questionnaire. Whether this questionnaire needs to be validated by a QSA depends on the requirements of the card brands in that merchant's region.

Requirements

The current version of the standard (1.2) [ [https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml PCI DSS - PCI Security Standards Council] ] specifies 12 requirements for compliance, organized into 6 logically related groups, which are called "control objectives."

The control objectives and their requirements are:

* Build and Maintain a Secure Network
** Requirement 1: Install and maintain a firewall configuration to protect cardholder data
** Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
* Protect Cardholder Data
** Requirement 3: Protect stored cardholder data
** Requirement 4: Encrypt transmission of cardholder data across open, public networks
* Maintain a Vulnerability Management Program
** Requirement 5: Use and regularly update anti-virus software
** Requirement 6: Develop and maintain secure systems and applications
* Implement Strong Access Control Measures
** Requirement 7: Restrict access to cardholder data by business need-to-know
** Requirement 8: Assign a unique ID to each person with computer access
** Requirement 9: Restrict physical access to cardholder data
* Regularly Monitor and Test Networks
** Requirement 10: Track and monitor all access to network resources and cardholder data
** Requirement 11: Regularly test security systems and processes
* Maintain an Information Security Policy
** Requirement 12: Maintain a policy that addresses information security

History

PCI DSS originally began as five different programs: Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program. Each company’s intentions were roughly similar: to create an additional level of protection for customers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. The Payment Card Industry Security Standards Council (PCI SSC) was formed, and on 15 December 2004, these companies aligned their individual policies and released the Payment Card Industry Data Security Standard (PCI DSS).

In September 2006, the PCI standard was updated to version 1.1 to provide clarification and minor revisions to version 1.0.

PCI is one of multiple data security standards that have emerged over the past decade; BS7799, ISF Standards, Basel II, Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act of 2002,

The next version 1.2 was released on October 1, 2008. [ [https://www.pcisecuritystandards.org/pdfs/pr_080930_PCIDSSv1-2.pdf PCI SECURITY STANDARDS COUNCIL RELEASES VERSION 1.2 OF PCI DATA SECURITY STANDARD] ] . Version 1.1 will be "sunset" on December 31, 2008. v1.2 did not change requirements, only enhanced clarity, improved flexibility, and addressed evolving risks/threats.

Standards derived from the PCI DSS include PABP and PA-DSS.

Updates and Supplemental

The PCI SSC has released several supplemental pieces of information to clarify various requirements. These documents include the following
* Information Supplement: Requirement 11.3 Penetration Testing [ [https://www.pcisecuritystandards.org/tech/supporting_documents.htm Information Supplement: Requirement 11.3 Penetration Testing] ]
* Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified [ [https://www.pcisecuritystandards.org/tech/supporting_documents.htm Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified] ]
* Navigating the PCI SSC - Understanding the Intent of the Requirements [ [https://www.pcisecuritystandards.org/pdfs/navigating_pci_dss_v1-1.pdf Navigating the PCI SSC - Understanding the Intent of the Requirements] ]

Compliance and wireless LANs

The PCI DSS recognizes wireless LANs as public networks and automatically assumes they are exposed to vulnerabilities and threats. PCI DSS also provides two specific security guidelines to prevent breaches coming in from wireless networks used in any environments containing credit card data. They are:

* Firewall segmentation between wireless networks and the point of sale networks or any network that comes in contact with credit card information.
* Use of wireless analyzers (a.k.a. Wireless Intrusion Detection System) to detect any unauthorized wireless devices and attacks

References

Updates on PCI DSS v1.2

* [https://www.pcisecuritystandards.org/pdfs/pci_dss_summary_of_changes_v1-2.pdf Summary of Changes]
* [https://www.pcisecuritystandards.org/pdfs/pci_dss_summary_of_changes_faqs_v1-2.pdf Summary of Changes FAQ]
* [https://www.pcisecuritystandards.org/pdfs/pr_080930_PCIDSSv1-2.pdf PCI DSS 1.2 Announcement, Oct. 1, 2008]

External links

* [https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm PCI DSS Standard]
* [http://selfservice.talisma.com/?c=58&cpc=MSdA03B2IfY15uvLEKtr40R5a5pV2lnCUb4i1Qj2q2g&cid=81&t= PCI Security Standards Council Frequently Asked Questions and General Information]