The Payment Card Industry Data Security Standard (PCI DSS) was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is done annually — by an external Qualified Security Assessor (QSA) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for those handling smaller volumes.
Instead has experts in the PCI DSS field who can provide organizations with flexible and tailored PCI DSS consultancy services to meet the requirements of your compliance process without paying for the time of a qualified assessor.
Instead provides consultancy for both Merchants and Service Providers, defined under the Standard as:
- Merchant: any entity that accepts payment cards (Visa, MasterCard, American Express, Discover or JCB) as payment for goods and/or services.
- Service provider: a business entity (not a card brand or merchant) directly involved in the processing, storage, transmission, and switching of transaction or cardholder data (e.g. payment processor), or an entity which provides services to merchants (e.g. managed service providers, hosting providers.)
PCI DSS Requirements*:
firewall examines network traffic and blocks transmissions that do not meet the specified security criteria. All systems must be protected from unauthorized access from untrusted networks: e-commerce, employee Internet access, employee e-mail access, dedicated connections such as business-to-business connections, via wireless networks, or via other sources.
vendor default passwords and other vendor default settings are well known by hacker communities and are easily determined via public information.
protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should also be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending unprotected PANs using end-user messaging technologies, such as e-mail and instant messaging.
sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments.
malicious software, commonly referred to as “malware”—including viruses, worms, and Trojans—enters the network during many business-approved activities including employee e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats. Additional anti-malware solutions may be considered as a supplement to the anti-virus software; however, such additional solutions do not replace the need for anti-virus software to be in place.
unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches, which must be installed by the entities that manage the systems. All systems must have all appropriate software patches to protect against the exploitation and compromise of cardholder data by malicious individuals and malicious software.
to ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities.
assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for their actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users and processes.
any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. It refers to full-time and part-time employees, temporary employees, contractors and consultants who are physically present on the entity’s premises.
logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.
vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.
a strong security policy sets the security tone for the whole entity and informs personnel what is expected of them. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it. For the purposes of Requirement 12, “personnel” refers to full-time and part-time employees, temporary employees, contractors and consultants who are “resident” on the entity’s site or otherwise have access to the cardholder data environment.
*exctracted from PCI DSS 3.0