A Quick Intro to PCI Compliance
Sunday, March 7, 2010
(Members Only Software, Inc.)
What is PCI?
PCI
(Payment Card Industry) is an association
of the major credit card issuers. The PCI-DSS
(PCI Data
Security Standard) is a list of twelve security
requirements
this groups has issued that merchant account
holders are required to meet.
To whom do these standards
apply?
According to the standard,
"PCI DSS
requirements are applicable if a Primary
Account Number (PAN) is stored,
processed or transmitted." In
other words,
if you ever send a credit card number through
to the bank for
processing, you've got to pass
muster.
Who monitors my
compliance?
Your compliance with
these standards is monitored by your "acquirer"
-- the company at the other end of your credit
card validation software or device. For
MasterCard and Visa, this is your bank or
credit card processor. For American Express and
Discover, it is the card issuer itself. The
largest credit card merchants are required to
submit an extremely detailed report on their
information security in order to verify
compliance. But most organizations can simply
fill in a self-assessment questionnaire and an
attestation of compliance.
Is anyone actually paying
attention?
While many organizations
have just heard rumbles about PCI in their
business communities, other organizations we
work with have been told by their banks that
they are out of compliance. This can lead to
fees, fines, and at worse the loss of your
merchant account. If you do
have an incident where your credit card
information is compromised, you will almost
certainly be deemed out of compliance at that
point. And the number of these incidents
is increasing. You owe it to your
organization's donors, supporters, and
customers to protect the information they've
entrusted to you.
The biggest
misconception we see among our clients is the
idea that if they are
using the right credit card processing system
or software, they are
compliant. Of course there are
requirements that payment
applications must meet. These comprise a second
standard known as PA-DSS (Payment Application
Data Security Standard). Failure to
use secure software is a sure path to
non-compliance. But using a compliant payment system
is not enough to guarantee that you the
merchant are yourself
compliant. The
entire security of your information system
comes under the
purview of the PCI.
How do credit
card thefts occur?
- more than half of all such incidents are inside jobs by employees or business partners.
- more than half involve the theft of data that was not known to be on the system.
- more than half are not technologically sophisticated operations.
Goal | Requirements |
Build and Maintain a
SecureNetwork | 1. Install
and maintain a firewall configuration to
protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. |
Protect Cardholder
Data | 3. Protect stored
cardholder data. 4. Encrypt transmission of cardholder data across open, public networks. |
Maintain a
Vulnerability Management Program | 5. Use and regularly
update anti-virus software or programs 6. Develop and maintain secure systems and applications. |
Implement Strong Access Control Measures | 7. Restrict access to
cardholder data by business need-to-know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. |
Regularly Monitor and Test Networks | 10. Track and monitor all
access to network resources and cardholder
data. 11. Regularly test security systems and processes. |
Maintain an Information Security Policy | 12. Maintain a policy
that addresses information security for employees and contractors. |
PCI Security Requirements in detail:
The chart above gives you a sense of the range of issues the standard covers. But this is just, in effect, a table of contents to the standard. The full standard goes into significant detail under each one.
Let's look at one example. Requirement #1 reads "Install and maintain a firewall configuration to protect cardholder data." You might think the fact that you have an industry standard firewall product installed gets you a pass on this one. But that is just the starting point. The requirements ask for:
- a written policy on how any change to the router or firewall configuration is approved and made.
- a network diagram that shows all connections and all devices and a process to make sure the diagram is up to date.
- documentation of the business case for all ports that are open and all protocols that are in use.
- a formal review of all firewall and router settings every six months.
How can you find out the full extent of the PCI requirements? The PCI Security site is full of information about the standard and compliance testing. A good starting point is "Navigating PCI-DSS", a fifty page introduction to the terms of the standard and the meaning and intent of each clause. It's the best thing to read if you want a complete explanation of the data security standard.
The Full PCI_DSS specification can be downloaded from this page. And when you are ready, you can also find the self-assessment questionnaire here.
If you want to learn all there is to know about PCI, you can attend a two-day seminar given by the PCI Council. We took it and found it invaluable.
Members Only Software Consulting Services
We've spent a lot of time, in class and on-line, developing an understanding of PCI-DSS. Call and engage us for consultation on you information security! Just send us an email to start the process!