To secure sensitive payment card data, the Payment Card Industry Data Security Standard (PCI DSS) was developed. Its purpose is to protect the customer data, prevent theft or fraud and facilitate the adaptation of security measures globally. It lists the rules and security measures required to protect the sensitive payment card data. It can also be used against threats and to secure the elements in the payment ecosystem.
The PCI DSS applies to all the entities that store, process and transmit Cardholder Data (CHD), Sensitive Authentication Data (SAD) and those who could affect the security of a Cardholder Data Environment (CDE). The entities can be issuers, acquirers, merchants, processors, and other service providers.
The word ‘Cardholder data’ is used for information like cardholder name, Permanent Account Number (PAN), service code and expiration date. The word ‘Sensitive Authentication data’ is used for information like card verification code, PIN and full track data. The word ‘Account data’ means information like PAN, other cardholder data that is available with PAN, and the sensitive authentication data.
If entities outsource their payment operations to third parties, then they have to ensure the account data is protected as per the PCI DSS requirements by the third party. The PCI DSS will apply to the following:
- Entities that store SAD should follow the applicable PCI DSS requirements.
- Entities that use third-party services to store, process and transmit PAN then they will have to follow the applicable PCI DSS requirements.
- Entities that can impact the CDE environment, because their infrastructure can impact how the cardholder data is processed, must follow the applicable PCI DSS requirements.
- If the cardholder data is only present on manual media like paper, then the PCI DSS requirement for security and disposal of manual media will apply.
- The PCI DSS requirements of an incident response plan will apply to all entities while handling cybersecurity incidents like data breaches.
PCI DSS requirements
The PCI DSS is the global data security standard, and lists the following requirements:
- Develop and keep a secure network and systems
Install and maintain a firewall configuration to secure cardholder data.
Never use the default passwords provided by the vendors for the system and other security needs.
- Secure payment cardholder data
Protect the cardholder data when stored.
While transmitting cardholder data through open and public networks, encrypt it.
- Use vulnerability management software
Install and use an antivirus software to protect all systems against malicious software.
Build and maintain secure systems and applications.
- Follow strict access control measures
Limit access to cardholder data by business need-to-know.
Use unique IDs to identify and authenticate access to system components.
Put a limit on physical access to cardholder data.
- Regularly track and test networks
Monitor and track all access to network resources and cardholder data.
Periodically test security systems and processes.
- Make an information security policy
Use a policy to address information security for all employees and contractors.
PCI DSS compliance procedure
PCI DSS compliance is an ongoing process and involves a few steps. To get PCI DSS certification, this procedure has to be followed by the entities:
1. First, you should recognise all the possible issues which could lead to a security risk to cardholder data. Analyse all processes for vulnerabilities which are used for storing, processing and transmitting the data. If there are third parties involved, then they too have to be compliant. A thorough assessment will help you find all the possible vulnerabilities.
2. The Self Assessment Questionnaire (SAQ) is a validation tool designed for merchants and service providers to evaluate their PCI DSS compliance by themselves.
The council has provided two types of experts to help you with the PCI DSS assessments – Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV).
The QSAs have trained personnel and processes to assess and prove your PCI DSS compliance.
The ASVs offer commercial software tools along with analysis services to help you perform external vulnerability scans of your system.
3. Scan your network with software tools which can analyse the infrastructure and find possible vulnerabilities.
Review and remediate the vulnerabilities found in the on-site assessment or use a self-assessment process.
Classify your vulnerabilities to prioritise the order of remediation.
Apply fixes, patches and workarounds to unsafe processes and workflows.
Scan again to confirm that the remediation has actually been applied.
4. PCI DSS compliance requires regular reports, which have to be submitted to the acquiring banks and the payment card brands you use in your business. All service providers, merchants and processors are required to submit their reports quarterly. Smaller businesses can submit an annual attestation within the SAQ.
Santosh Kumar, the author behind IndiasStuffs.com, is passionate about sharing valuable insights on a variety of topics, including lifestyle, technology, and Indian culture.
