The Payment Card Industry Data Security Standard (PCI DSS), first released in 2004, is a set of security requirements managed by an industry consortium consisting of the five major credit card associations: Visa Inc., MasterCard Inc., American Express Co., Discover and JCB International Co. In this tip, I'll give a broad overview of the PCI DSS requirements and your obligations under the standard.
Does PCI DSS apply to me?
At this point, you may be asking yourself "I'm a midsize business. Isn't this stuff for large companies that make the news with their data breaches? Does it really apply to me?" The short answer is yes, it does. If you store, process or transmit credit cards in any fashion, you're required to comply with PCI DSS, regardless of the size of your business. The card associations don't have the power to create laws, but you're required to comply for one of two reasons:
- If you accept credit cards under a merchant agreement, you're legally bound to comply with these requirements due to your contractual relationship with your merchant bank. Check the small print. It's in there.
- If you don't have an agreement with a merchant bank, but store, process or transmit credit cards on behalf of your customers, you're required to comply because the language of PCI DSS doesn't allow your customers to do business with you unless you are a compliant service provider.
What are the PCI DSS compliance requirements?
The full PCI DSS standard (which is a must-read for anyone subject to the standard) contains 73 pages of detailed requirements. The standard can certainly be daunting to a first-time reader, but depending upon the way you handle credit card data, some of these may not be applicable to you. I can offer you some words of reassurance: The requirements in the standard are all industry best practices. If you're a security professional, you'll probably agree with most everything in there.
PCI DSS is organized into six focus areas, containing a dozen major requirements. I'll provide you with a brief overview of these focus areas, but must emphasize that you'll need to review the full standard to ensure your business is compliant.
Focus area 1: Build and maintain a secure network
The two major requirements in this area specify that you must install and maintain a firewall configuration to protect cardholder data and should not use vendor-supplied defaults for system passwords and other security parameters.
Focus area 2: Protect cardholder data
This focus area covers the storage and transmission of cardholder data and the minimization of data storage, encryption of stored and transmitted data and protection of cryptographic keys.
Focus area 3: Maintain a vulnerability management program
PCI DSS also requires that you maintain a vulnerability management program. This focus area covers using and updating antivirus software and the requirements for developing and maintaining secure systems and applications.
Focus area 4: Implement strong access control measures
Access control is one of the cornerstones of information security. This focus area requires that you restrict access to cardholder data to those on a need-to-know basis, assign a unique ID to each person with computer access and restrict physical access to cardholder data.
Focus area 5: Regularly monitor and test networks
PCI DSS requires the development of a program for monitoring and testing network compliance on a regular basis. In this focus area you'll find requirements that you track and monitor all access to network resources and cardholder data and regularly test security systems and processes.
Focus area 6: Maintain an information security policy
Although it appears last in the standard, this is the focus area that I recommend you tackle first, as policy is the cornerstone of information security and lays out the organizational mandate for the rest of your credit card security program. This focus area contains detailed requirements for the contents of your security policies and standards.
How do I prove my organization is PCI DSS compliant?
Depending upon the size of your organization, you'll need to provide your merchant bank with varying degrees of assurance that you are compliant with PCI DSS. The requirements are complex and vary from card association to card association. Consult your merchant bank for guidance, as they will be able to provide you with a definitive answer on your compliance level. For illustrative purposes, here are Visa's requirements:
- Level 1 merchants are those who process over 6,000,000 Visa transactions of any kind annually, have suffered a breach or are otherwise designated as Level 1. They must complete an annual self-assessment, an annual on-site assessment by a Qualified Security Assessor and conduct quarterly network scans using an Approved Scanning Vendor.
- Level 2, 3 and 4A merchants process between 20,000 and 6,000,000 Visa e-commerce transactions or 1,000,000 and 6,000,000 Visa transactions of any kind annually and must complete an annual self-assessment and conduct quarterly network scans using an Approved Scanning Vendor.
- Level 4B merchants process fewer than 20,000 Visa e-commerce transactions and fewer than 1,000,000 Visa transactions of any kind, and they are not currently required to certify their compliance but must maintain compliance regardless.
PCI DSS compliance can be intimidating, especially if you're tasked with developing a compliance program from scratch. However, I can tell you from experience that it's an achievable goal. Many merchants are in the same boat and you should tap the collective knowledge of your peers as you work toward compliance.About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.
Send comments on this technical tip to firstname.lastname@example.org.