We all our aware of the technology of internet banking- technology that has made the process of payment and funding so easy, fast and moreover secure that huge and immediate transaction could be made within no seconds, no matter when and where you are. The most important aspect that has made this technology so popular is the SECURITY it provides to each and every individual’s transaction. The transaction is provided by the PCL-DSS.
The Payment Card Industry Data Security Standard is a worldwide accepted set of policies and procedures intended to provide and optimize security to credit, debit, cash cards and other online transactions and protect cardholders against misuse of their personal information. The PC-DSS was created jointly by Visa, MasterCard, American express and Discover. The PCL-DSS was defined by the Payment Card Industry Security Standard Council to emphasize on protecting the personal information of the cardholders and to reduce credit card fraud via its exposure.
The PCI DSS originally began as 5 different programs:
- Visa’s Cardholder information security program.
- MasterCard’s Site Data Protection
- America Express’ Data Security Operation Policy
- Discover’s Information Security & Compliance
- JCB’s Data Security Program
The PCI DSS Council was formed and on December 15th 2004, these companies aligned their individual policies and released version 1.0 of the PCI DSS. Later, versions 1.1, 1.2 1.1 Sunsetted, 1.2.1, 2.0 were also released. Currently, version 3.0 was released in January 2014 and will continue till 31st December 2016.
The PCI DSS has six major objectives:
- First, a secure network must be maintained in which transactions can be conducted. It involves the use of firewalls that are vigorous enough to be effective without causing gratuitous inconvenience to cardholders or vendors. Specialized firewalls are available for wireless LANs, which are highly vulnerable to eavesdropping and attacks by malicious hackers. In addition, authentication data such as personal identification numbers (PINs) and passwords must not involve defaults supplied by the vendors. Customers should be able to conveniently and frequently change such data.
- Second, cardholder information must be protected wherever it is stored. Repositories with vital data such as dates of birth, mothers’ maiden names, Social Security numbers, phone numbers and mailing addresses should be secure against hacking. When cardholder data is transmitted through public networks, that data must be encrypted in an effective way. Digital encryption is important in all forms of credit-card transactions, but particularly in e-commerce conducted on the Internet.
- Third, systems should be protected against the activities of malicious hackers by using frequently updated anti-virus software, anti-spyware programs, and other anti-malware solutions. All applications should be free of bugs and vulnerabilities that might lead to exploits in which cardholder data could be stolen or altered. Patches offered by software and operating system vendors should be regularly installed to ensure the highest possible level of vulnerability management.
- Fourth, access to system information and operations should be restricted and controlled. Cardholders should not have to provide information to businesses unless those businesses must know that information to protect them and effectively carry out a transaction. Every person who uses a computer in the system must be assigned a unique and confidential identification name or number. Cardholder data should be protected physically as well as electronically. Examples include the use of document shredders, avoidance of unnecessary paper document duplication, and locks and chains on dumpsters to discourage criminals who would otherwise rummage through the trash.
- Fifth, networks must be constantly monitored and regularly tested to ensure that all security measures and processes are in place, are functioning properly, and are kept up-do-date. For example, anti-virus and anti-spyware programs should be provided with the latest definitions and signatures. These programs should scan all exchanged data, all applications, all random-access memory (RAM) and all storage media frequently if not continuously.
- Sixth, a formal information security policy must be defined, maintained, and followed at all times and by all participating entities. Enforcement measures such as audits and penalties for non-compliance may be necessary.
These above objectives are also the requirements of PCI DSS Compliance.
The PCI DSS program benefits Level 4 merchants, though all merchants are required to be compliant. Level 4 merchants are all merchants regardless of acceptance channels processing less than 20,000 Master or Visa Card ecommerce transactions per year and all other merchants processing up to 1 million MasterCard or Visa transaction per year. Customer card security is of great importance to the merchants. This is so because merchants’ business depends on their reputation and integrity. Ensuring card holder data to be secure allows them to grow their business while maintaining the integrity of their reputation by building the trust of the card holder. It also benefits device vendors and manufacturers.
The PCI data Security Standard Council has provided certain tools to assist organizations validate their compliance that includes Self Assessment Questionnaires. The chart below shows some of the tools available to help organizations PCI-DSS Compliant.
For device vendors and manufacturers, the Council provides the PIN Transaction Security (PTS) requirements, which contains a single set of requirements for all personal identification number (PIN) terminals, including POS devices, encrypting PIN pads and unattended payment terminals. To help software vendors and others develop secure payment applications, the Council maintains Payment Application Data Security (PA-DSS) and a list of Validated Applications. The Council also provides training to professional firms and individuals so that they can assist organizations with their compliance efforts. The Council maintains public resource as lists of Qualified Security Assessor (QSAs), Payment Application Qualified Security Assessors (PA-QSAs), and Approved Scanning Vendors (ASVs). Large firms seeking to educate their employees can take advantage of the Internal Security Assessor (ISA) education program.
But what is the need to comply with the PCI Security Standards?
- Compliance with the PCI DSS means that your systems are secure and the customers can trust you with their sensitive payment card information.
- If you succeed in building your customers trust in you, the customer would feel secure and comfortable enough to recommend your services again and even to others also.
- Compliance is an ongoing process and not a one-time event. It helps prevent security breaches and theft of payment card data, not just today, but even in future, since the PCI Council works constantly to monitor threats and improve the industry’s means of dealing with them, through enhancements to PCI Security Standards and by the training of security professionals.
- When you stay compliant, you become a part of a united, global response to fight against payment card data compromise.
There are many indirect benefits of PCI DSS compliance too.
- Through the efforts to comply with PCI Security standards, you will likely be prepared better to comply with other regulations such as HIPAA, SOX , etc
- You would have a basis for a corporate security strategy.
The PCI DSS applies wherever account data is stored, processed or transmitted. Account Data consist of cardholder’s following information:
- Primary Account Number (PAN) is the required factor in the applicability of PCI DSS. If PAN is not involved in processing or transaction, PCI DSS does not apply.
- Cardholder Name, Expiration date (CVC/CVV/CID) or Service Code (PIN/PIN Blocks) are used in process or transaction, they need to be protected according to the PCI DSS requirements.
The PCI DSS security requirements apply to all system components that are defined as any network component, server, or application that is included in or connected to the cardholder data environment. They also include any virtualized components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. The cardholder data environment is comprised of people, processes and technology that store, process or transmit cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to the following: web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external applications.
The first step of a PCI DSS assessment is to accurately determine the scope of the review. At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensuring they are included in the PCI DSS scope. To confirm the accuracy and appropriateness of PCI DSS scope, perform the following:
- The assessed entity identifies and documents the existence of all cardholder data in their environment, to verify that no cardholder data exists outside of the currently defined cardholder data environment (CDE).
- Once all locations of cardholder data are identified and documented, the entity uses the results to verify that PCI DSS scope is appropriate (for example, the results may be a diagram or an inventory of cardholder data locations).
- The entity considers any cardholder data found to be in scope of the PCI DSS assessment and part of the CDE unless such data is deleted or migrated/consolidated into the currently defined CDE.
- The entity retains documentation that shows how PCI DSS scope was confirmed and the results, for assessor review and/or for reference during the next annual PCI SCC scope confirmation activity. (REF: PCI DSS Council)
I hereby conclude that if you want your business to grow securely, and by winning your customers’ trust and confidence on you, compliant with the PCI DSS and remove all breaches and hindrances of fraud and distrust.