overview_header Try Now FAQ Sign In Home
Goals PCI DSS Requirements
....Build and Maintain a Secure Network ....1. Install and maintain a firewall configuration to protect cardholder data
....2. Do not use vendor-supplied defaults for system passwords and other
........security parameters
....Protect Cardholder Data ....3. Protect stored data
....4. Encrypt transmission of cardholder data across open, public networks
....Maintain a Vulnerability Management Program ....5. Use and regularly update anti-virus software
....6. Develop and maintain secure systems and applications
....Implement Strong Access Control Measures ....7. Restrict access to cardholder data by business need-to-know
....8. Assign a unique ID to each person with computer access
....9. Restrict physical access to cardholder data
....Regularly Monitor and Test Networks ....10. Track and monitor all access to network resources and cardholder data
....11. Regularly test security systems and processes
....Maintain an Information Security Policy ....12. Maintain a policy that addresses information security


PCI Standards Include:

PCI Data Security Standard:
The PCI DSS applies to any entity that stores, processes, and/or transmits cardholder data. It covers technical and operational system components included in or connected to cardholder data. If your business accepts or processes payment cards, it must comply with the PCI DSS.

PIN Entry Device Security Requirements:
PCI PED applies to manufacturers who specify and implement device characteristics and management for personal identification number (PIN) entry terminals used for payment card financial transactions.

Payment Application Data Security Standard:
The PA-DSS is for software developers and integrators of applications that store, process or transmit cardholder data as part of authorization or settlement. It also governs these applications that are sold, distributed or licensed to third parties.

How to Comply with PCI DSS

The PCI Security Standards Council sets the standards for PCI security but each payment card brand has its own program for compliance. Specific questions about compliance should be directed to your acquiring financial institution. Links to payment card brand compliance program include:
Qualified Assessors.
The Council provides programs for two kinds of certifications: Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). QSAs are companies that assist organizations in reviewing the security of its payments transaction systems and have trained personnel and processes to assess and validate compliance with PCI DSS and PA-DSS. ASVs provide commercial software tools to perform certified vulnerability scans for your systems. Additional details can be found on our Web site at: www.pcisecuritystandards.org.

Self-Assessment Questionnaire.
The “SAQ” is a validation tool for merchants and service providers who are not required to do on-site assessments for PCI DSS compliance. Different SAQs are specified for various business situations; more details can found on our Web site at: www.pcisecuritystandards.org or contact the acquiring financial institution to determine if you should complete an SAQ.

Payment Application Data Security Standard for Developers
The PA-DSS minimizes vulnerabilities in payment applications. The goal is to prevent the compromise of full magnetic stripe data located on the back of a payment card. PA-DSS covers commercial payment applications, integrators and service providers. Merchants and service providers should use certified payment applications and should check with their acquiring financial institution to understand requirements and associated timeframes for compliance.

PIN Entry Device (PED) Security Requirements for Manufacturers
This standard, referred to as PED, applies to companies which make devices that accept personal identification number (PIN) entry for all PIN-based transactions. Merchants and service providers should use certified PED devices and should check with their acquiring financial institution to understand requirements and associated timeframes for compliance.
Technical Guidelines for Stored Payment Card Data

PCI DSS Requirement 3 details technical guidelines for protecting stored cardholder data. Merchants should develop a data retention and storage policy that strictly limits storage amount and retention time to that which is required for business, legal, and/or regulatory purposes.

Sensitive authentication data must never be stored after authorization – even if this data is encrypted.

Never store full contents of any track from the card’s magnetic stripe or chip (referred to as full track, track, track 1, track 2, or magnetic stripe data). If required for business purposes, the cardholder’s name, PAN, expiration date, and service code may be stored as long as they are protected in accordance with PCI DSS requirements.

Never store the card-validation code or value (three- or four-digit number printed on the front or back of a payment card used to validate card-not-present transactions).

Never store the personal identification number (PIN) or PIN Block. Be sure to mask PAN whenever it is displayed. The first six and last four digits are the maximum number of digits that may be displayed. This requirement does not apply to those authorized with a specific need to see the full PAN, nor does it supersede stricter requirements in place for displays of cardholder data such as on a point-of-sale receipt.

Technical Guidelines for Protecting Stored Payment Card Data

At a minimum, PCI DSS requires PAN to be rendered unreadable anywhere it is stored – including portable digital media, backup media, and in logs. Software solutions for this requirement may include one of the following:

One-way hash functions based on strong cryptography – also called hashed index, which displays only index data that point to records in the database where sensitive data actually reside.

Truncation – removing a data segment, such as showing only the last four digits.

Index tokens and securely stored pads – encryption algorithm that combines sensitive plain text data with a random key or “pad” that works only once.

Strong cryptography – with associated key management processes and procedures. Refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations and Acronyms for the definition of “strong cryptography.”

Some cryptography solutions encrypt specific fields of information stored in a database; others encrypt a singular file or even the entire disk where data is stored. If full-disk encryption is used, logical access must be managed independently of native operating system access control mechanisms. Decryption keys must not be tied to user accounts. Encryption keys used for encryption of cardholder data must be protected against both disclosure and misuse. All key management processes and procedures for keys used for encryption of cardholder data must be fully documented and implemented. For more details, see PCI DSS Requirement 3.

get_started_in_articles
.
Protect Stored Cardholder Data

Use Encryption
Encrypted data is unreadable and unusable to a system intruder without the property cryptographic keys. See the PCI DSS Glossary for more information: www.pcisecuritystandards.org/pdfs/pci_dss_glossary.pdf

Use Other Measures
Do not store cardholder data unless there is a legitimate business need; truncate or mask cardholder data if full PAN is not needed and do not send PAN in unencrypted emails, instant messages, chats, etc..

Use Compensating Controls as Alternatives
If stored cardholder data cannot be encrypted, consult PCI DSS Appendix B: Compensating Controls and Appendix C: Compensating Controls Worksheet.

Verify 3rd Party Compliance
Use approved PIN entry devices and validated payment applications.



Copyright © 2010 getPCICertified.com
powered_by
developed_by