Payment Card Industry Data Security Standard: Difference between revisions

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.

Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is performed annually, either by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.^[1]

History

PCI DSS originally began as five different programs: Visa's Cardholder Information Security Program,^[2] MasterCard's Site Data Protection, American Express' Data Security Operating Policy, Discover's Information Security and Compliance, and the JCB's Data Security Program. Each company's intentions were roughly similar: to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. The Payment Card Industry Security Standards Council (PCI SSC) was formed, and on 15 December 2004, these companies aligned their individual policies and released version 1.0 of the Payment Card Industry Data Security Standard (PCI DSS).

In September 2006, the PCI standard was updated to version 1.1 to provide clarification and minor revisions to version 1.0.

Version 1.2 was released on October 1, 2008.^[3] Version 1.1 "sunsetted" on December 31, 2008.^[4] v1.2 did not change requirements, only enhanced clarity, improved flexibility, and addressed evolving risks/threats. In August 2009 the PCI SSC announced^[5] the move from version 1.2 to version 1.2.1 for the purpose of making minor corrections designed to create more clarity and consistency among the standards and supporting documents.

Version 2.0 was released in October 2010^[6] and is active for merchants and service providers from January 1st 2011 to December 31st 2014.

Version 3.0 was released in November 2013^[7] and is active from January 1st 2014 to December 31st 2016.

Requirements

The PCI Data Security Standard specifies 12 requirements for compliance, organized into six logically related groups called "control objectives". Each version of PCI DSS has divided these 12 requirements into a number of sub-requirements differently, but the 12 high level requirements have not changed since the inception of the standard.

Control Objectives	PCI DSS Requirements
Build and Maintain a Secure Network	1. Install and maintain a firewall configuration to protect cardholder data
	2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data	3. Protect stored cardholder data
	4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program	5. Use and regularly update anti-virus software on all systems commonly affected by malware
	6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures	7. Restrict access to cardholder data by business need-to-know
	8. Assign a unique ID to each person with computer access
	9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks	10. Track and monitor all access to network resources and cardholder data
	11. Regularly test security systems and processes
Maintain an Information Security Policy	12. Maintain a policy that addresses information security

Updates and supplemental information

The PCI SSC has released several supplemental pieces of information to clarify various requirements. These documents include the following

• Information Supplement: Requirement 11.3 Penetration Testing^[8]
• Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified^[9]
• Navigating the PCI DSS - Understanding the Intent of the Requirements^[10]
• Information Supplement: PCI DSS Wireless Guidelines^[11]

Compliance versus validation of compliance

Although the PCI DSS must be implemented by all entities that process, store or transmit cardholder data, formal validation of PCI DSS compliance is not mandatory for all entities. Currently both Visa and MasterCard require Merchants and Service Providers to be validated according to the PCI DSS. Smaller merchants and service providers are not required to explicitly validate compliance with each of the controls prescribed by the PCI DSS although these organizations must still implement all controls in order to maintain safe harbour and avoid potential liability in the event of fraud associated with theft of cardholder data. Issuing banks are not required to go through PCI DSS validation although they still have to secure the sensitive data in a PCI DSS compliant manner. Acquiring banks are required to comply with PCI DSS as well as to have their compliance validated by means of an audit. (In the event of a security breach, any compromised entity which was not PCI DSS compliant at the time of breach will be subject to additional card scheme penalties, such as fines.)

Mandated compliance

In 2009 the U.S. state of Nevada incorporated the standard into state law, requiring compliance of merchants doing business in that state with the current PCI DSS, and shields compliant entities from liability.^[12]

How to get started

Document cardholder data flow - One of the first steps in PCI compliance is to document flow of the cardholder data. Cardholder data flows between and through applications, systems, and network infrastructure devices. It is very important to document all cardholder data flows prior to beginning any assessment activities. An inventory of some kind should be developed to identify all systems that store, process or transmit cardholder data.

Develop a system inventory - An inventory of all systems that store, process, and/or transmit cardholder data must be maintained. The following information at a minimum should be maintained in the inventory:

• System name
• Cardholder data stored (list fields)
• Reason for storage
• Retention period
• Protection mechanism (e.g., hashing, encryption, or truncation)

It is to be noted that when you are developing your system inventory you should divide the applications and system components in categories for scoping purposes.

Category 1 Applications and System Components: Applications and systems that directly store, process, or transmit cardholder data are located on the same network as said applications and systems

Category 2 System Components: System components that support the Tier 1 environment (i.e., Active Directory, NTP, DNS, Anti-virus, patching servers, etc.)

Category 3 System Components: All other non-Tier 1 and Tier 2 system components

Compliance and wireless LANs

In July 2009, the Payment Card Industry Security Standards Council published wireless guidelines^[11] for PCI DSS recommending the use of wireless intrusion prevention system (WIPS) to automate wireless scanning for large organizations. Wireless guidelines clearly define how wireless security applies to PCI DSS 1.2 compliance.^[13]

These guidelines apply to the deployment of wireless LAN (WLAN) in Cardholder Data Environments, also known as CDEs. A CDE is defined as a network environment that possesses or transmits credit card data.^[14]

Wireless LAN and CDE classification

PCI DSS wireless guidelines classify CDEs into three scenarios depending on how wireless LANs are deployed.

• No Known WLAN AP inside or outside the CDE: The organization has not deployed any WLAN AP. In this scenario, 3 minimum scanning requirements (Sections 11.1, 11.4 and 12.9) of the PCI DSS apply.
• Known WLAN AP outside the CDE: The organization has deployed WLAN APs outside the CDE. These WLAN APs are segmented from the CDE by a firewall. There are no known WLAN APs inside the CDE. In this scenario, 3 minimum scanning requirements (Sections 11.1, 11.4 and 12.9) of the PCI DSS apply.
• Known WLAN AP inside the CDE: The organization has deployed WLAN APs inside the CDE. In this scenario, three minimum scanning requirements (Sections 11.1, 11.4 and 12.9), as well as six secure deployment requirements (Sections 2.1.1, 4.1.1, 9.1.3, 10.5.4, 10.6 and 12.3) of the PCI DSS apply.

Key sections of PCI DSS 1.2 that are relevant for wireless security are classified and defined below.

Secure deployment requirements for wireless LANs

These secure deployment requirements apply to only those organizations that have a known WLAN AP inside the CDE. The purpose of these requirements is to deploy WLAN APs with proper safeguards.

• Section 2.1.1 Change Defaults: Change default passwords, SSIDs on wireless devices. Enable WPA or WPA2 security.
• Section 4.1.1 802.11i Security: Set up APs in WPA or WPA2 mode with 802.1X authentication and AES encryption. Use of WEP in CDE is not allowed after June 30, 2010.
• Section 9.1.3 Physical Security: Restrict physical access to known wireless devices.
• Section 10.5.4 Wireless Logs: Archive wireless access centrally using a WIPS for 1 year.
• Section 10.6 Log Review: Review wireless access logs daily.
• Section 12.3 Usage Policies: Develop usage policies to list all wireless devices regularly. Develop usage possible for the use of wireless devices.

Minimum scanning requirements for wireless LANs

These minimum scanning requirements apply to all organizations regardless of the type of wireless LAN deployment in the CDE. The purpose of these requirements is to eliminate any rogue or unauthorized WLAN activity inside the CDE.

• Section 11.1 Quarterly Wireless Scan: Scan all sites with CDEs whether or not they have known WLAN APs in the CDE. Sampling of sites is not allowed. A WIPS is recommended for large organizations since it is not possible to manually scan or conduct a walk-around wireless security audit^[15] of all sites on a quarterly basis
• Section 11.4 Monitor Alerts: Enable automatic WIPS alerts to instantly notify personnel of rogue devices and unauthorized wireless connections into the CDE.
• Section 12.9 Eliminate Threats: Prepare an incident response plan to monitor and respond to alerts from the WIPS. Enable automatic containment mechanism on WIPS to block rogues and unauthorized wireless connections.

PCI compliance in call centers

While the PCI DSS standards are very explicit about the requirements for the back end storage and access of PII (personally identifiable information), the Payment Card Industry Security Standards Council has said very little about the collection of that information on the front end, whether through websites, interactive voice response systems or call center agents. This is surprising, given the high threat potential for credit card fraud and data compromise that call centers pose.^[16][17]

In a call center, customers read their credit card information, CVV codes, and expiration dates to call center agents. There are few controls which prevent the agent from skimming (credit card fraud) this information with a recording device or a computer or physical note pad. Moreover, almost all call centers deploy some kind of call recording software, which is capturing and storing all of this sensitive consumer data. These recordings are accessible by a host of call center personnel, are often unencrypted, and generally do not fall under the PCI DSS standards outlined here.^[18] Home-based telephone agents pose an additional level of challenges, requiring the company to secure the channel from the home-based agent through the call center hub to the retailer applications.^[19]

To address some of these concerns, on January 22, 2010 the Payment Card Industry Security Standards Council issued a revised FAQ about call center recordings.^[20] The bottom line is that companies can no longer store digital recordings that include CVV information if those recordings can be queried.

Though the council has not yet issued any requirements, technology solutions can completely prevent skimming (credit card fraud) by agents. At the point in the transaction where the agent needs to collect the credit card information, the call can be transferred to an Interactive Voice Response system.^[21] This protects the sensitive information, but can create an awkward customer interaction. Solutions such as Agent-assisted Automation allow the agent to "collect" the credit card information without ever seeing or hearing it. The agent remains on the phone and customers enter their credit card information directly into the customer relationship management software using their phones. The DTMF tones are converted to monotones so the agent cannot recognize them and so that they cannot be recorded. This also ensures a greater level of customer satisfaction as callers understand the security benefits, thereby improving the business-consumer relationship. PCI compliant solutions can be deployed easily within company premises, or through the telephony provider network cloud. If going through the network cloud, no hardware or software needs to be installed in the organization itself. This ensures seamless integration with the call center environment, with minimal disruption to agents, or current IT systems, whilst also reducing risk by enabling rapid implementation. The benefits of increasing the security around the collection of personally identifiable information goes beyond credit card fraud to include helping merchants win chargebacks due to friendly fraud.^[22]

Controversies and criticisms

It has been suggested by some IT security professionals that the PCI DSS does little more than provide a minimal baseline for security.

"The fact is you can be PCI-compliant and still be insecure. Look at online application vulnerabilities. They're arguably the fastest growing area of security, and for good reason — exposures in customer-facing applications pose a real danger of a security breach." - Greg Reber^[23]

PCI-DSS has been called a “near scam” by a spokesman for the National Retail Federation and others who say it’s designed less to secure card data than to profit credit card companies while giving them executive powers of punishment through a mandated compliance system that has no oversight.^[24]

According to Stephen and Theodora “Cissy” McComb, owners of Cisero’s Ristorante and Nightclub in Park City, Utah (which was fined for a breach that two forensics firms could not find evidence even occurred), "the PCI system is less a system for securing customer card data than a system for raking in profits for the card companies via fines and penalties. Visa and MasterCard impose fines on merchants even when there is no fraud loss at all, simply because the fines “are profitable to them,”".^[24]

Additionally, Michael Jones, CIO of Michaels' Stores, testifying before a U.S. Congress subcommittee regarding the PCI DSS, says "(...the PCI DSS requirements...) are very expensive to implement, confusing to comply with, and ultimately subjective, both in their interpretation and in their enforcement. It is often stated that there are only twelve “Requirements” for PCI compliance. In fact there are over 220 sub-requirements; some of which can place an incredible burden on a retailer and many of which are subject to interpretation."^[25]

In contrast, others have suggested that PCI DSS is a step toward making all businesses pay more attention to IT security, even if minimum standards are not enough to completely eradicate security problems.

"Regulation--SOX, HIPAA, GLBA, the credit-card industry's PCI, the various disclosure laws, the European Data Protection Act, whatever--has been the best stick the industry has found to beat companies over the head with. And it works. Regulation forces companies to take security more seriously, and sells more products and services." - Bruce Schneier^[26]

Further, per PCI Council General Manager Bob Russo's response to the National Retail Federation: PCI is a structured "blend...[of] specificity and high-level concepts" that allows "stakeholders the opportunity and flexibility to work with Qualified Security Assessors (QSAs) to determine appropriate security controls within their environment that meet the intent of the PCI standards."^[27]

Compliance and compromises

According to Visa Chief Enterprise Risk Officer, Ellen Richey, "...no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach."^[28] However, it has nevertheless become a common misconception that companies have had security breaches while also being PCI DSS compliant.^{[citation needed]} Much of this confusion is a result of the 2008 Heartland Payment Systems breach, wherein more than one hundred million card numbers were compromised.^[29] Around this same time Hannaford Brothers^[30] and TJX Companies were similarly breached as a result of the alleged very same source of coordinated efforts of Albert "Segvec" Gonzalez and two unnamed Russian hackers.^[31]

Assessments examine the compliance of merchants and services providers with the PCI DSS at a specific point in time and frequently utilize a sampling methodology to allow compliance to be demonstrated through representative systems and processes. It is the responsibility of the merchant and service provider to achieve, demonstrate, and maintain their compliance at all times both throughout the annual validation/assessment cycle and across all systems and processes in their entirety.^[32] Therefore, these frequently cited breaches and their pointed use as a tool for criticism even to the point of noting that Hannaford Brothers had, in fact, received its PCI DSS compliance validation one day after it had been made aware of a two-month long compromise of its internal systems;^[33] fail to appropriately assign blame in their blasting of the standard itself as flawed as opposed to the more truthful breakdown in merchant and service provider compliance with the written standard, albeit in this case having not been identified by the assessor.

Other, more substantial, criticism lies in that compliance validation is required only for Level 1-3 merchants and may be optional for Level 4 depending on the card brand and acquirer. Visa's compliance validation details for merchants state that level 4 merchants compliance validation requirements are set by the acquirer,^[34] Visa level 4 merchants are "Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually". At the same time over 80% of payment card compromises between 2005 and 2007 affected Level 4 merchants; they handle 32% of transactions.^{[35][dead link][36]}

Compliance as a snapshot

The state of being PCI DSS compliant might appear to have some temporal persistence, at least from a merchant point of view.^{[citation needed]} In contrast, the PCI Standards Council General Manager Bob Russo has indicated that liabilities could change depending on the state of a given organization at the point in time when an actual breach occurs.^[37]

See also

• Penetration test
• Vulnerability management
• Wireless LAN
• Wireless security

References

1. "Getting Started with the PCI Data Security Standard". PCI Security Standards Council. Retrieved 2014-4-11. {{cite web}}: Check date values in: |accessdate= (help)
2. www.visa.com/cisp/‎
3. PCI SECURITY STANDARDS COUNCIL RELEASES VERSION 1.2 OF PCI DATA SECURITY STANDARD
4. Supporting Documents PCI DSS
5. https://www.pcisecuritystandards.org/pdfs/statement_090810_minor_corrections_to_standards.pdf
6. https://www.pcisecuritystandards.org/pdfs/pr_101028_standards_2.0.pdf,
7. https://www.pcisecuritystandards.org/pdfs/13_11_06_DSS_PCI_DSS_Version_3_0_Press_Release.pdf
8. Information Supplement: Requirement 11.3 Penetration Testing
9. Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
10. Navigating the PCI DSS - Understanding the Intent of the Requirements
11. "PCI DSS Wireless Guidelines" (PDF). Retrieved 2009-07-16.
12. Nevada Revised Statutes, Chap. 603A §215.
13. "Don't Let Wireless Detour your PCI Compliance" (PDF). Retrieved 2009-07-22.
14. Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations and Acronyms
15. "Walk Around Wireless Security Audits – The End Is Near" (PDF). Retrieved 2009-07-22.
16. Little, Allan (March 19, 2009). "Overseas credit card scam exposed". bbc.co.uk.com.
17. Loviglio, Joann (March 2012). "If Microsoft co-founder's ID isn't safe, is yours?". msnbc.com.
18. "PCI Compliance in the Call Center a Headache for Many". searchcrm.com. Retrieved 2011-01-28.
19. "PCI Compliance: What it Means to the Call Center Industry". tmcnet.com. Retrieved 2008-02-13.
20. "Call Center FAQ Significantly Changes". pciguru. Retrieved 2010-01-25.
21. "Restructuring the Contact Center for PCI Compliance". tmcnet.com. Retrieved 2008-11-10.
22. Adsit, Dennis (February 21, 2011). "Error-proofing strategies for managing call center fraud". isixsigma.com. iSixSigma (Ideal Media, LLC).
23. Reber, Greg (2008-10-27). "PCI compliance falls short of assuring website security". Tech Target. Retrieved 2009-02-15.
24. Zetter, Kim (January 11, 2012). "Rare Legal Fight Takes On Credit Card Company Security Standards and Fines". Wired Magazine. Retrieved January 16, 2012.
25. Jones, Michael (2009-03-31). "TESTIMONY OF MICHAEL JONES BEFORE THE EMERGING THREATS, CYBERSECURITY, AND SCIENCE AND TECHNOLOGY SUBCOMMITTEE" (PDF). Congress of the United States. Retrieved 2010-07-19.^{[dead link]}
26. "Bruce Schneier reflects on a decade of security trends". Retrieved 2009-02-15.
27. Russo, Bob (2009-06-15). "Letter to NRF" (PDF). PCI Council. Retrieved 2010-10-19.
28. Vijayan, Jaikumar (2009). "Visa: Post-breach criticism of PCI standard misplaced".
29. "Heartland data breach sparks security concerns in payment industry".
30. McGlasson, Linda (2008-04-04). "Hannaford Data Breach May Be Top of Iceberg". BankInfo Security. Retrieved 2009-01-28.
31. Goodin, Dan (2009). "TJX suspect indicted in Heartland, Hannaford breaches".
32. Spier, Peter (2010-03-22). "The QSA's Perspective: PCI Compliance Risk Abounds". BankInfo Security. Retrieved 2010-10-19.
33. Vijayan, Jaikumar (2009-01-04). "PCI security standard gets ripped at House hearing". Computerworld Security. Retrieved 2009-05-04.
34. Visa Merchant levels http://usa.visa.com/merchants/risk_management/cisp_merchants.html
35. Pastor, Adrian (2009). "A Pentester's Guide to Credit Card Theft Techniques" (PDF).
36. http://usa.visa.com/download/merchants/level_4_merchant_compliance_program_062807.pdf Published June 28, 2007, slide 6
37. "Q and A: Head of PCI council sees security standard as solid, despite breaches". Retrieved 2009-02-15.

Articles on PCI compliance using Linux

• Red Card: Specificity of PCI DSS in respect to Red Hat Enterprise Linux (Part 1)
• Red Card: Specificity of PCI DSS in respect to Red Hat Enterprise Linux (Part 2)
• PCI DSS and Red Hat Enterprise Linux (Part #3)
• PCI DSS and Red Hat Enterprise Linux (Part #4)
• PCI DSS and Red Hat Enterprise Linux (Part #5)
• PCI DSS and Red Hat Enterprise Linux (Part #6)
• PCI DSS and Red Hat Enterprise Linux (Part #7)
• PCI DSS and Red Hat Enterprise Linux (Part #8)
• PCI DSS and Red Hat Enterprise Linux (Final part #9)

Books on PCI DSS

• "PCI DSS Handbook"(ISBN 9780470260463)
• "PCI DSS: A Practical Guide to Implementation" (ISBN 9781849280235)
• "PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance" (ISBN 9781597494991)

Updates on PCI DSS v1.2

• Summary of Changes
• Summary of Changes FAQ
• PCI DSS 1.2 Announcement, Oct. 1, 2008

Updates on PCI DSS v2.0

• Summary of Changes
• PCI DSS 2.0 Announcement, Aug. 12, 2010
• PCI DSS Virtualisation Guidelines, June 2011

Updates on PCI DSS v3.0

• Summary of Changes

External links

• PCI SSC Data Security Standards Overview
• PCI Quick Reference Guide
• List of PCI DSS compliant organizations