SUMMARY OF THE 12 PCI REQUIREMENTS
Securing and Protecting Cardholder Information is the main role of the PCI (Payment Card Industry) Security Standards Council.
The PCI Security Standards Council was founded in September, 2006 by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. It is "an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection." -- This is from the PCI Security Standards Council web page. Membership on the council is open to issuers, merchants and vendors.
The PCI Data Security Standard (DSS) is a list of 12 requirements organized in 6 areas/objectives. These security standards apply to all system components that store, process or transmit cardholder data.
A. Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Key Message: Properly segment your network, and protect network segments that store, process or transmit cardholder data. This includes not only the network segments from an enterprise level — but at each retail site. To properly segment and protect the network segments, firewalls must be implemented. The firewall rule set should have a business rule for every service, port and action configured.
B. Protect Cardholder
3. Data Protect stored data
4. Encrypt transmission of cardholder data and sensitive information across public networks
Key Message: Never store Track data (Mag Stripe), Security Code (CVC2/CVV2/CID) or PIN/PIN Block after authorization. Minimize storage of other card related data. The PAN (Primary Account Number) can be stored for business reasons if encrypted properly. Cardholder data must be encrypted when transmitted across public networks. Under PCI, Wireless networks are treated as public networks and must have appropriate encryption transmission and firewalled segmentation.
C. Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Key Message: Execute effective security practices on all applications and infrastructure. Assign someone the explicit responsibility for keeping security patches and anti-virus capability up to date on all computers – headquarters and at site.
D. Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Key Message: Ensure support access is configured appropriately with appropriate logging. This must be established and reviewed by POS, back office, 3rd party Help Desk, and any other support providers.
E. Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Key Message: Hire an Approved Scanning Vendor to periodically perform intrusion detection tests on your networks. Ensure appropriate logging of access to all systems processing, storing, or transmitting cardholder data.
F. Maintain an Information Security Policy
12. Maintain a policy that addresses information security
Key Message: Document and share a security policy. It must be viewed as the way of doing business. Develop and maintain an explicit documented security review process that is audited periodically (e.g. quarterly).
Merchants engage an authorized assessor (Qualified Security Assessor (QSA)) to review and assess the merchant to ensure that they comply with all 12 requirements. A Report on Compliance (ROC) is produced by the auditor. The ROC is provided to the Sponsoring Bank who passes this along to Visa & MasterCard.
Visa has also implemented a Payment Application Best Practice — PABP program. Visa highly recommends that all Payment Applications (including POS and any other equipment processing payments) go through a PABP audit, with an approved auditor, to obtain validation for their application. Visa has a website that lists validated payment applications.
The PABP is basically a subset of the PCI DSS requirements that are specific to a payment application (as opposed to the entire payment network/system components).
Tip: When a merchant is going through their PCI DSS compliance validation, each type of POS used by that merchant will need to be reviewed. If the POS has been through a PABP, the auditor reviews their findings in the merchant's environment. If the POS has not been through a PABP assessment, the auditor will need to in a sense — perform the PABP, on behalf of the merchant, in order to complete the merchant's audit.
Tip: PCI Auditors also highly recommend that all POS devices connected to a merchant's network have been PABP validated. It is believed that the PABP program will roll under the PCI Standards Council and will become a requirement in the near future.
Tip: Key items that are looked at under the PABP relate to Protecting Cardholder Data and Implementing strong access control measures. Additionally, the application must work appropriately in a secure environment.