The Payment Card Industry Data Security Standard (PCI DSS) is an
information security
Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
standard used to handle
credit card
A credit card is a payment card issued to users (cardholders) to enable the cardholder to pay a merchant for goods and services based on the cardholder's accrued debt (i.e., promise to the card issuer to pay them for the amounts plus the o ...
s from major
card brands. The standard is administered by the
Payment Card Industry Security Standards Council
The Payment Card Industry Security Standards Council (PCI SSC) was formed by American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc. on September 7, 2006, with the goal of managing the ongoing evolution of the ...
and its use is mandated by the card brands. The standard was created to better control cardholder data and reduce
credit card fraud
Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The P ...
.
Validation of compliance is performed annually or quarterly, by a method suited to the volume of transactions handled:
* Self-Assessment Questionnaire (SAQ)
* Firm-specific
Internal Security Assessor (ISA)
* External
Qualified Security Assessor (QSA)
History
Originally, the major card brands started five different security programs:
*
Visa
Visa most commonly refers to:
*Visa Inc., a US multinational financial and payment cards company
** Visa Debit card issued by the above company
** Visa Electron, a debit card
** Visa Plus, an interbank network
*Travel visa, a document that allows ...
's
Cardholder Information Security Program
*
MasterCard's Site
Data Protection
Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data pr ...
*
American Express
American Express Company (Amex) is an American multinational corporation specialized in payment card services headquartered at 200 Vesey Street in the Battery Park City neighborhood of Lower Manhattan in New York City. The company was found ...
's Data Security Operating Policy
*
Discover
Discover may refer to:
Art, entertainment, and media
* ''Discover'' (album), a Cactus Jack album
* ''Discover'' (magazine), an American science magazine
Businesses and brands
* DISCover, the ''Digital Interactive Systems Corporation''
* D ...
's Information Security and Compliance
*
JCB's Data Security Program
The intentions of each were roughly similar: to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process, and transmit cardholder data. To address interoperability problems among the existing standards, the combined effort made by the principal credit card organizations resulted in the release of version 1.0 of PCI DSS in December 2004. PCI DSS has been implemented and followed across the globe.
The Payment Card Industry Security Standards Council (PCI SSC) was then formed, and these companies aligned their individual policies to create the PCI DSS. MasterCard, American Express, Visa, JCB International and Discover Financial Services established the PCI SSC in September 2006 as an administration/governing entity which mandates the evolution and development of the PCI DSS. Independent/private organizations can participate in PCI development after proper registration. Each participating organization joins a particular SIG (Special Interest Group) and contributes to the activities which are mandated by the SIG.
The following versions of the PCI DSS have been made available:
Requirements
The PCI Data Security Standard specifies twelve requirements for compliance, organized into six logically related groups called "control objectives". The six groups are:
# Build and Maintain a
Secure Network and Systems
# Protect Cardholder Data
# Maintain a Vulnerability Management Program
# Implement Strong Access Control Measures
# Regularly Monitor and Test Networks
# Maintain an Information Security Policy
Each version of PCI DSS has divided these six requirements into a number of sub-requirements differently, but the twelve high-level requirements have not changed since the inception of the standard. Each requirement/sub-requirement is additionally elaborated into three sections.
# PCI DSS Requirements: Define the main description of the requirements. The endorsement of PCI DSS is done on the proper implementation of the requirements.
# Testing Processes: The processes and methodologies carried out by the assessor for the confirmation of proper implementation.
# Guidance: Explains the core purpose of the requirement and the corresponding content which can assist in the proper definition of the requirement.
Under version 3.2.1 of the PCI DSS, the twelve requirements are described as follows:
# Install and maintain a
firewall
Firewall may refer to:
* Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts
* Firewall (construction), a barrier inside a building, designed to limit the spre ...
configuration to protect cardholder data.
# Do not use vendor-supplied defaults for system passwords and other security parameters.
# Protect stored cardholder data.
# Encrypt transmission of cardholder data over open, public networks.
# Protect all systems against malware and update anti-virus software or programs.
# Develop and maintain secure systems and applications.
# Restrict access to cardholder data by business need to know.
# Identify and authenticate access to system components.
# Restrict physical access to cardholder data.
# Track and monitor all access to network resources and cardholder data.
# Regularly test security systems and processes.
# Maintain an information security policy that addresses information security for all personnel.
Updates and supplemental information
The PCI SSC (Payment Card Industry Security Standards Council) has released several supplemental pieces of information to clarify various requirements. These documents include the following:
* Information Supplement: Requirement 11.3 Penetration Testing
* Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
* Navigating the PCI DSS - Understanding the Intent of the Requirements
*
* PCI DSS Applicability in an EMV Environment
* Prioritized Approach for PCI DSS
* Prioritized Approach Tool
* PCI DSS Quick Reference Guide
* PCI DSS Virtualization Guidelines
* PCI DSS Tokenization Guidelines
* PCI DSS 2.0 Risk Assessment Guidelines
* The lifecycle for Changes to the PCI DSS and PA-DSS
* Guidance for PCI DSS Scoping and Segmentation
PCI DSS v4.0 now available
Reporting levels
All companies who are subject to PCI DSS standards must be PCI compliant. However, how they prove and report their compliance is based on how many transactions they process per year and how they process those transactions. The acquirer or payment brands may also choose to manually place an organization into a reporting level at their discretion.
At a high level, the merchant levels are as follows:
* Level 1 – Over 6 million transactions annually
* Level 2 – Between 1 and 6 million transactions annually
* Level 3 – Between 20,000 and 1 million transactions annually (or any e-commerce merchant)
* Level 4 – Less than 20,000 transactions annually
Each card issuer maintains their own table of compliance levels as well as a separate table for service providers.
Validation of compliance
Compliance validation involves the evaluation and confirmation that the security controls & procedures have been properly implemented as per the policies recommended by PCI DSS. In short, the PCI DSS, security validation/testing procedures are mutually a compliance validation tool. A PCI DSS assessment has the following entities.
Qualified Security Assessor (QSA)
A Qualified Security Assessor is an individual bearing a certificate that has been provided by the PCI Security Standards Council. This certified person can audit merchants for Payment Card Industry Data Security Standard (PCI DSS) compliance. QSAs are the independent groups/entities which have been certified by PCI SSC for compliance confirmation in organization procedures. The confirmation just assigns that a QSA has tended to all the separate prerequisites which are mandatory to do PCI DSS appraisals.
Internal Security Assessor (ISA)
An Internal Security Assessor is an individual who has earned a certificate from the PCI Security Standards Company for their sponsoring organization. This certified person has the ability to perform PCI self-assessments for their organization. This ISA program was designed to help Level 2 merchants meet the new Mastercard compliance validation requirements.
ISA certification empowers a worker to do an inward appraisal of his/her association and propose security solutions/ controls for the PCI DSS compliance. As the ISAs are upheld by the organization for the PCI SSC affirmation, they are in charge of cooperation and participation with QSAs.
Report on Compliance (ROC)
A Report on Compliance is a form that has to be filled by all level 1 merchants Visa merchants undergoing a PCI DSS (Payment Card Industry Data Security Standard) audit. The ROC form is used to verify that the merchant being audited is compliant with the PCI DSS standard. ROC confirms that policies, strategies, approaches & workflows are appropriately implemented/developed by the organization for the protection of cardholders against scams/frauds card-based business transactions. A template “ROC Reporting Template” available on the PCI SSC site contains detailed guidelines about the ROC.
Self-Assessment Questionnaire (SAQ)
The PCI DSS self-assessment questionnaires (SAQs) are validation tools intended to assist merchants and service providers to report the results of their PCI DSS self-assessment. There are eight different types of SAQs, each with a different level of complexity. The most basic is the SAQ-A, consisting of just 22 questions; the most complex is the SAQ-D, consisting of 329 questions.
The Self-Assessment Questionnaire is intended to be completed annually and submitted to the entity's
acquiring bank
An acquiring bank (also known simply as an acquirer) is a bank or financial institution that processes credit or debit card payments on behalf of a merchant. The acquirer allows merchants to accept credit card payments from the card-issuing banks ...
. In addition to the SAQ, the Attestation of Compliance (AOC) is completed based upon the results of the SAQ. Each SAQ question must be replied with yes or no alternative. In the event that a question has the response "no", the entity must highlight its future implementation aspects.
Compliance versus validation of compliance
Although the PCI DSS must be implemented by all entities that process, store or transmit cardholder data, formal validation of PCI DSS compliance is not mandatory for all entities. Currently, both
Visa
Visa most commonly refers to:
*Visa Inc., a US multinational financial and payment cards company
** Visa Debit card issued by the above company
** Visa Electron, a debit card
** Visa Plus, an interbank network
*Travel visa, a document that allows ...
and
MasterCard require merchants and service providers to be validated according to the PCI DSS. Visa also offers an alternative program called the Technology Innovation Program (TIP) that allows qualified merchants to discontinue the annual PCI DSS validation assessment. These merchants are eligible if they are taking alternative precautions against counterfeit fraud such as the use of
EMV
EMV is a payment method based on a technical standard for smart payment cards and for payment terminals and automated teller machines which can accept them. EMV stands for " Europay, Mastercard, and Visa", the three companies that created th ...
or
Point to Point Encryption
Point-to-point encryption (P2PE) is a standard established by the PCI Security Standards Council. Payment solutions that offer similar encryption but do not meet the P2PE standard are referred to as end-to-end encryption (E2EE) solutions. The obje ...
.
Issuing banks are not required to go through PCI DSS validation although they still have to secure the sensitive data in a PCI DSS compliant manner. Acquiring banks are required to comply with PCI DSS as well as to have their compliance validated by means of an audit.
In the event of a security breach, any compromised entity which was not PCI DSS compliant at the time of breach may be subject to additional penalties from card brands or acquiring banks, such as fines.
Legislation
Compliance with PCI DSS is not required by federal law in the
United States
The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territorie ...
. However, the laws of some U.S. states either refer to PCI DSS directly or make equivalent provisions. The legal scholars Edward Morse and Vasant Raval have argued that, by enshrining PCI DSS compliance in legislation, the card networks have reallocated the externalized cost of fraud from the card issuers to merchants.
In 2007, Minnesota enacted a law prohibiting the retention of some types of payment card data subsequent to 48 hours after authorization of the transaction.
In 2009, Nevada incorporated the standard into state law, requiring compliance of merchants doing business in that state with the current PCI DSS, and shielding compliant entities from liability. The Nevada law also allows merchants to avoid liability by other approved security standards.
[Edward A. Morse; Vasant Raval, ]
Private Ordering in Light of the Law: Achieving Consumer Protection through Payment Card Security Measures
' DePaul Business & Commercial Law Journal 10, no. 2 (Winter 2012): 213-266
In 2010, Washington also incorporated the standard into state law. Unlike Nevada's law, entities are not required to be compliant to PCI DSS, but compliant entities are shielded from liability in the event of a data breach.
[
]
Risk management to protect cardholder data
Under PCI DSS's requirement 3, merchants and financial institutions are required to protect cardholder data with strong cryptography. Non-compliant solutions will not pass the audit. A typical risk management program can be structured in 3 steps:
# Identify all known risks and record/describe them in a risk register. For example, hardware security module
A hardware security module (HSM) is a physical computing device that safeguards and manages secrets (most importantly digital keys), performs encryption and decryption functions for digital signatures, strong authentication and other cryptograp ...
s (HSM) that are used in the cryptographic key management
Key management refers to management of cryptographic keys in a cryptosystem. This includes dealing with the generation, exchange, storage, use, crypto-shredding (destruction) and replacement of keys. It includes cryptographic protocol design, ...
process could potentially introduce their own risks if compromised, whether physically or logically. HSMs create a root of trust within the system. However, while it is unlikely, if the HSM is compromised, this could compromise the entire system.
# Develop a risk management program is to analyze all identified risks. Included in this analysis should be a mix of qualitative and quantitative techniques to determine what risk treatment methods should be used to reduce the possibility of risks. For example, an organization might analyze the risk of using a cloud HSM versus a physical device that they use on site.
# Treat the risks in response to the risk analysis that was previously performed. For example, employing different treatments to protect client information stored in a cloud HSM versus ensuring security both physically and logically for an onsite HSM, which could include implementing controls or obtaining insurance to maintain an acceptable level of risk.
Continuous monitoring and review are part of the process of reducing PCI DSS cryptography risks. This includes maintenance schedules and predefined escalation and recovery routines when security weaknesses are discovered.
Controversies and criticisms
Visa and Mastercard impose fines for non-compliance.
Stephen and Theodora "Cissy" McComb, owners of Cisero's Ristorante and Nightclub in Park City, Utah, were allegedly fined for a breach for which two forensics firms could not find evidence as having occurred:
Michael Jones, CIO of Michaels' Stores, testified before a U.S. Congress subcommittee regarding the PCI DSS:
Others have suggested that PCI DSS is a step toward making all businesses pay more attention to IT security, even if minimum standards are not enough to completely eradicate security problems. For example, Bruce Schneier
Bruce Schneier (; born January 15, 1963) is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is a Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman Klein Cente ...
has spoken in favour of PCI DSS:
PCI Council General Manager Bob Russo responded to the objections of the National Retail Federation
The National Retail Federation (NRF) is the world's largest retail trade association. Its members include department stores, specialty, discount, catalog, Internet, and independent retailers, chain restaurants, grocery stores, and multi-level ma ...
:
Compliance and compromises
According to Visa Chief Enterprise Risk Officer Ellen Richey (2018):
In 2008, a breach of Heartland Payment Systems
Heartland Payment Systems, Inc. is a U.S.-based payment processing and technology provider. Founded in 1997, Heartland Payment Systems' last headquarters were in Princeton, New Jersey. An acquisition by Global Payments, expected to be worth $3.8 ...
, an organization validated as compliant with PCI DSS, resulted in the compromising of one hundred million card numbers. Around this same time Hannaford Brothers and TJX Companies
The TJX Companies, Inc. (abbreviated TJX) is an American Multinational corporation, multinational Discount store, off-price department store corporation, headquartered in Framingham, Massachusetts. It was formed as a subsidiary of Zayre, Zayre ...
, also validated as PCI DSS compliant, were similarly breached as a result of the alleged coordinated efforts of Albert "Segvec" Gonzalez and two unnamed Russian hackers.
Assessments examine the compliance of merchants and services providers with the PCI DSS at a specific point in time and frequently utilize a sampling methodology to allow compliance to be demonstrated through representative systems and processes. It is the responsibility of the merchant and service provider to achieve, demonstrate, and maintain their compliance at all times both throughout the annual validation/assessment cycle and across all systems and processes in their entirety. Although it could be that a breakdown in merchant and service provider compliance with the written standard was to blame for the breaches, Hannaford Brothers had received its PCI DSS compliance validation one day after it had been made aware of a two-month-long compromise of its internal systems. The failure of this to be identified by the assessor suggests that incompetent verification of compliance undermines the security of the standard.
Other criticism lies in that compliance validation is required only for Level 1–3 merchants and may be optional for Level 4 depending on the card brand and acquirer. Visa's compliance validation details for merchants state that level 4 merchants compliance validation requirements are set by the acquirer, Visa level 4 merchants are "Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually". At the same time, over 80% of payment card compromises between 2005 and 2007 affected Level 4 merchants; they handle 32% of transactions.
See also
* Penetration test
A penetration test, colloquially known as a pen test or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. T ...
* Vulnerability management
Vulnerability management is the "cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating" software vulnerabilities. Vulnerability management is integral to computer security and network security, and must not be ...
* Wireless LAN
A wireless LAN (WLAN) is a wireless computer network
A wireless network is a computer network that uses wireless data connections between network nodes.
Wireless networking is a method by which homes, telecommunications networks and bus ...
* Wireless security
Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to ...
References
External links
Official PCI Security Standards Council Site
A guide to PCI compliance
{{PCISSC
Payment cards
Computer law
Information privacy
Security compliance