A Quick Intro to PCI ComplianceSunday, March 7, 2010
(Members Only Software, Inc.)
What is PCI?
PCI (Payment Card Industry) is an association of the major credit card issuers. The PCI-DSS (PCI Data Security Standard) is a list of twelve security requirements this groups has issued that merchant account holders are required to meet.
To whom do these standards apply?
According to the standard, "PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed or transmitted." In other words, if you ever send a credit card number through to the bank for processing, you've got to pass muster.
Who monitors my compliance?
Your compliance with these standards is monitored by your "acquirer" -- the company at the other end of your credit card validation software or device. For MasterCard and Visa, this is your bank or credit card processor. For American Express and Discover, it is the card issuer itself. The largest credit card merchants are required to submit an extremely detailed report on their information security in order to verify compliance. But most organizations can simply fill in a self-assessment questionnaire and an attestation of compliance.
Is anyone actually paying attention?
While many organizations have just heard rumbles about PCI in their business communities, other organizations we work with have been told by their banks that they are out of compliance. This can lead to fees, fines, and at worse the loss of your merchant account. If you do have an incident where your credit card information is compromised, you will almost certainly be deemed out of compliance at that point. And the number of these incidents is increasing. You owe it to your organization's donors, supporters, and customers to protect the information they've entrusted to you.
The biggest misconception we see among our clients is the idea that if they are using the right credit card processing system or software, they are compliant. Of course there are requirements that payment applications must meet. These comprise a second standard known as PA-DSS (Payment Application Data Security Standard). Failure to use secure software is a sure path to non-compliance. But using a compliant payment system is not enough to guarantee that you the merchant are yourself compliant. The entire security of your information system comes under the purview of the PCI.
How do credit card thefts occur?
- more than half of all such incidents are inside jobs by employees or business partners.
- more than half involve the theft of data that was not known to be on the system.
- more than half are not technologically sophisticated operations.
|Build and Maintain a
SecureNetwork ||1. Install
and maintain a firewall configuration to
protect cardholder data.|
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
| Protect Cardholder
Data||3. Protect stored
4. Encrypt transmission of cardholder data across open, public networks.
|5. Use and regularly
update anti-virus software or programs|
6. Develop and maintain secure systems and applications.
|Implement Strong Access|
|7. Restrict access to
cardholder data by business need-to-know.|
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
|Regularly Monitor and Test|
|10. Track and monitor all
access to network resources and cardholder
11. Regularly test security systems and processes.
|Maintain an Information|
|12. Maintain a policy
that addresses information security for|
employees and contractors.
PCI Security Requirements in detail:
The chart above gives you a sense of the range of issues the standard covers. But this is just, in effect, a table of contents to the standard. The full standard goes into significant detail under each one.
Let's look at one example. Requirement #1 reads "Install and maintain a firewall configuration to protect cardholder data." You might think the fact that you have an industry standard firewall product installed gets you a pass on this one. But that is just the starting point. The requirements ask for:
- a written policy on how any change to the router or firewall configuration is approved and made.
- a network diagram that shows all connections and all devices and a process to make sure the diagram is up to date.
- documentation of the business case for all ports that are open and all protocols that are in use.
- a formal review of all firewall and router settings every six months.
How can you find out the full extent of the PCI requirements? The PCI Security site is full of information about the standard and compliance testing. A good starting point is "Navigating PCI-DSS", a fifty page introduction to the terms of the standard and the meaning and intent of each clause. It's the best thing to read if you want a complete explanation of the data security standard.
The Full PCI_DSS specification can be downloaded from this page. And when you are ready, you can also find the self-assessment questionnaire here.
If you want to learn all there is to know about PCI, you can attend a two-day seminar given by the PCI Council. We took it and found it invaluable.
Members Only Software Consulting Services
We've spent a lot of time, in class and on-line, developing an understanding of PCI-DSS. Call and engage us for consultation on you information security! Just send us an email to start the process!