No business that processes card payments can afford to ignore its obligations under the PCI DSS.
Achieving and maintaining PCI DSS compliance is not easy, particularly for organisations without a dedicated security team. This blog gives an overview of the standard and provides guidance for businesses looking to assess, review and improve their security posture in line with PCI requirements.
What is PCI DSS?
The Payment Card Industry Data Security Standards (PCI DSS) is a set of technical and organisational requirements designed to help businesses protect customers’ cardholder data against fraud through robust payment security.
PCI DSS applies to all organisations that store, process and transmit cardholder data (CHD) and/or sensitive authentication data (SAD). CHD includes account numbers, cardholder names, expiration data and service codes. SAD includes magnetic strip data, pin numbers and security codes.
PCI DSS is enforced by the founding members of the PCI Council: American Express, Discover Financial Services, JCB, MasterCard and Visa. Organisations deemed to have failed to take appropriate actions towards achieving compliance are liable to receive a fine and in serious cases, banking services could be withdrawn.
PCI DSS levels
Understanding how the PCI DSS applies to an organisation can be a challenge. As a general rule, all organisations that accepts payment cards from any the PCI founding members is a merchant.
Merchants fall into one of four levels, based on the volume of card data they transact:
Level 4: Merchants processing under 20,000 transactions a year.
Level 3: Merchants processing between 20,000 and 1 million transactions a year.
Level 2: Merchants processing between 1 and 6 million transactions a year.
Level 1: Merchants processing over 6 million card transactions a year.
Merchant level categorisation determines the minimum standards an organisation is expected to achieve for PCI compliance. All level 1 merchants are required to undergo an annual onsite assessment, while level 2, 3 and 4 merchants will have to complete a Self-Assessment-Questionnaire (SAQ).
PCI SAQ types
There are eight main SAQ types and it is important to choose the most appropriate for the payment scenario in question.
For card-not-present merchants that have fully outsourced to a PCI DSS validated third party and do not process data in house.
PCI SAQ A-EP
For ecommerce merchants that have fully outsourced to a PCI DSS validated third party, with websites that do not receive cardholder data directly but can impact transaction security.
PCI SAQ B
For merchants using imprint machines with no electronic cardholder data storage and no electronic cardholder data storage.
PCI SAQ B-IP
For merchants using only payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.
PCI SAQ C
For merchants with payment application systems connected to the Internet that electronically store cardholder data.
PCI SAQ C-VT
For merchants who enter transactions via keyboard into virtual terminals hosted by a PCI DSS validated third party, with no electronic cardholder data storage.
PCI SAQ P2PE
For merchants using hardware payment terminals that are managed via a validated, PCI SSC validated point-to-point encryption solution, with no electronic cardholder data storage.
PCI SAQ D
For merchants not covered by any other SAQ type.
PCI compliance checklist
There are twelve key PCI DSS requirements, split across six core objectives. PCI DSS requirements apply to all system components that are connected to an organisation’s Cardholder Data Environment (CDE). The CDE encompasses all people, processes and technologies that store, process, or transmit cardholder and sensitive authentication data.
The core PCI requirements are detailed in the PCI compliance checklist below.
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors
PCI DSS solutions
To help your organisation meet its compliance needs, Redscan offers a range of specialist PCI DSS services. These include:
PCI DSS log management and monitoring
ThreatDetect™, Redscan’s Managed Detection and Response service, can help your organisation track and monitor access to network resources and cardholder data in order to achieve compliance with PCI DSS requirements 10 & 11. ThreatDetect provides:
• Aggregation, analysis, correlation and archiving of log data sources and events
• Resource tracking and monitoring
• Intrusion detection
• Continuous user authentication monitoring
• Regular vulnerability scanning
• PCI DSS compliance reporting
PCI DSS penetration testing
Requirement 11 of the PCI DSS outlines the need for organisations to perform internal and external penetration testing at least annually, or after any significant changes to network infrastructure. A PCI pen test will help to identify:
• Unsafe system and network configurations
• Improper access controls
• Rogue wireless networks
• Common coding vulnerabilities such as cross-site scripting (XSS) and SQL injection
• Broken authentication and session management
• Encryption flaws
Call upon a highly-qualified and experienced security professional to support your PCI DSS requirements. By acting as an extension of you team, a Redscan Virtual CISO can help to assess cyber-risk plus develop and implement the policies, procedures and controls needed to achieve PCI compliance.
Why trust Redscan for PCI compliance?
As an award-winning provider of managed security, consultancy and penetration testing services, Redscan is well placed to help your organisation better understand its PCI obligations and implement appropriate controls to achieve compliance.
Trust our offensive security experts to work as an extension of your in-house team and help make, lasting improvements to your cyber security posture.