A Quick Intro to PCI Compliance
Sunday, March 7, 2010
(Members Only Software, Inc.)
What is
PCI?
PCI (Payment Card Industry) is an association of the major
credit card issuers. The PCI-DSS (PCI Data
Security Standard) is a list of twelve security requirements
this groups has issued that merchant account holders are required to
meet.
To whom do
these standards apply?
According to the standard, "PCI DSS
requirements are applicable if a Primary Account Number (PAN) is stored,
processed or transmitted." In other words,
if you ever send a credit card number through to the bank for
processing, you've got to pass muster.
Who monitors my compliance?
Your
compliance with these standards is monitored by your "acquirer" -- the company
at the other end of your credit card validation software or device. For
MasterCard and Visa, this is your bank or credit card processor. For American
Express and Discover, it is the card issuer itself. The largest credit card
merchants are required to submit an extremely detailed report on their
information security in order to verify compliance. But most organizations can
simply fill in a self-assessment questionnaire and an attestation of
compliance.
Is
anyone actually paying attention?
While many organizations have just
heard rumbles about PCI in their business communities, other organizations we
work with have been told by their banks that they are out of compliance. This
can lead to fees, fines, and at worse the loss of your merchant account. If you
do have an incident where your
credit card information is compromised, you will almost certainly be deemed out
of compliance at that point. And the number of these incidents is
increasing. You owe it to your organization's donors, supporters, and customers
to protect the information they've entrusted to you.
The biggest
misconception we see among our clients is the idea that if they are
using the right credit card processing system or software, they are
compliant. Of course there
are requirements that payment
applications must meet. These comprise a second standard known as PA-DSS
(Payment Application Data Security Standard). Failure to
use secure software is a sure path to non-compliance. But using a compliant payment system
is not enough to guarantee that you the merchant are yourself
compliant. The entire security of your
information system comes under the
purview of the PCI.
How do
credit
card thefts occur?
- more than half of all such incidents are inside jobs by employees or business partners.
- more than half involve the theft of data that was not known to be on the system.
- more than half are not technologically sophisticated operations.
Goal | Requirements |
Build and Maintain a SecureNetwork | 1. Install and
maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. |
Protect
Cardholder Data | 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks. |
Maintain a
Vulnerability Management Program | 5. Use and regularly update anti-virus software or
programs 6. Develop and maintain secure systems and applications. |
Implement Strong Access Control Measures | 7. Restrict access to cardholder data by business
need-to-know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. |
Regularly Monitor and Test Networks | 10. Track and monitor all access to network resources and
cardholder data. 11. Regularly test security systems and processes. |
Maintain an Information Security Policy | 12. Maintain a policy that addresses information
security for employees and contractors. |
PCI Security Requirements in detail:
The chart above gives you a sense of the range of issues the standard covers. But this is just, in effect, a table of contents to the standard. The full standard goes into significant detail under each one.
Let's look at one example. Requirement #1 reads "Install and maintain a firewall configuration to protect cardholder data." You might think the fact that you have an industry standard firewall product installed gets you a pass on this one. But that is just the starting point. The requirements ask for:
- a written policy on how any change to the router or firewall configuration is approved and made.
- a network diagram that shows all connections and all devices and a process to make sure the diagram is up to date.
- documentation of the business case for all ports that are open and all protocols that are in use.
- a formal review of all firewall and router settings every six months.
How can you find out the full extent of the PCI requirements? The PCI Security site is full of information about the standard and compliance testing. A good starting point is "Navigating PCI-DSS", a fifty page introduction to the terms of the standard and the meaning and intent of each clause. It's the best thing to read if you want a complete explanation of the data security standard.
The Full PCI_DSS specification can be downloaded from this page. And when you are ready, you can also find the self-assessment questionnaire here.
If you want to learn all there is to know about PCI, you can attend a two-day seminar given by the PCI Council. We took it and found it invaluable.
Members Only Software Consulting Services
We've spent a lot of time, in class and on-line, developing an understanding of PCI-DSS. Call and engage us for consultation on you information security! Just send us an email to start the process!