Understanding the Payment Card Industry Data Security Standard(PCIDSS): Part 1
Adewale Adeife, CISM
Cyber Risk Management and Technology Consultant || GRC Professional || PCI-DSS Consultant || I help keep top organizations, Fintechs, and financial institutions secure by focusing on People, Process, and Technology.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme aims to secure credit and debit card transactions against data theft and fraud.
While the PCI SSC has no legal authority to compel compliance, it is a requirement for any business that processes credit or debit card transactions. PCI certification is also considered the best way to safeguard sensitive data and information, thereby helping businesses build long lasting and trusting relationships with their customers.
Common terminology in PCIDSS
PAN
Means Primary account number. There are no two cards with the same PAN and it is a unique number. The PAN identifies the e issuer of a particular card. It is a 16 digits number set.
Track Data
This is also called magnetic strip data and it is encoded in the magnetic strip or chip. This data is used for authentication and authorization during a PAN transaction.
SAD (Sensitive Authentication Data)
This is security related information which includes the Card Validation Value CVV and track data which is used for authentication and authorization. SAD data can never be stored after a transaction.
Cardholder Data
Cardholder data includes the Full Pan, cardholder name, expiration date or service code.
Account Data
It consists of Cardholder data and Sensitive authentication data
Merchant
An entity that accepts payment cards bearing the logo of any of the 5 members of the PCI SSC.
Members of PCI SCC include: Visa American Express, JCB, Mastercard and Discover.
Service provider
This is a business entity that is not a payment run but it is directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. E.g MSSPs, hosting providers, etc
Acquirer
This also referred to as acquiring bank merchant bank or acquiring financial institution is an entity that processes payment cardholder transactions for a bank.
Issuer
This is an entity that issues payment cards or performs, and facilitates issuing services including but not limited to issuing banks and processors.
FIM (File Integrity Monitoring Solution)
FIM solution is a technology that monitors files of logs to detect if they are modified and in the event they are modified, the FIM solution generates alert and send to the appropriate security personnel.
领英推荐
IDS/IPS
Intrusion detection system is a security tool or software application that monitors network or system activities for malicious activities or policy violations. IDS can detect and alert administrators or security personnel about suspicious behavior or potential security breaches. The IPS takes an additional step of blocking and preventing the intrusion attempt.
Multi-Factor Authentication
This is a force of authentication hardening where more than one factor is used to identify a user when logging into a system. The factors can be the following;
* Something the user has such as tokens
* Something the user knows such as a password, PIN, and passphrase
* Something the user is such as fingerprints and face IDs.
Scoping.
Scoping refers to the process of identifying all system components, people, and processes to be included in the PCI assessment.
Network Segmentation
Also referred to as segmentation or isolation is the process of separating systems that store, process, or transmit cardholder data from systems that do not. When performed appropriately it reduces the scope of the CDE and the PCI.
Untrusted Network
This refers to any network that is external to the network belonging to an organization. This are networks out of the organization's ability to control, access, or manage.
Non-Console Access
This refers to logical access to a system or a network interface rather than physical access.
Non-Consumer User
This refers to users who access cardholder data excluding cardholders e.g. employees of the entity and card administrator.
POI(Point of interaction)
It is the initial point where data is read from a card.
Encryption
The process of converting information into an unreadable form except for holders of a specific cryptographic key. Converting it to a readable format is known as decryption.
Truncation
Truncation is a method of rendering the full pan unreadable wherever it is being stored e.g in files and databases etc
Masking
Masking is the process of concealing a segment of data when it is displayed or printed. It is a form of protection for the PAN
Bilingual Information Security Auditor & GRC Specialist | Helping Businesses Manage Risk, Strengthen Security, and Navigate Compliance Efficiently
2 个月This is great information. I think that you might like this https://www.dhirubhai.net/posts/cesarmmora_pci-dss-simplified-activity-7274506411449991170-x-As?utm_source=share&utm_medium=member_ios
NOC Engineer at TPLEX
4 个月Very informative
Expertise in Security Operations, Risk Management & Facility Protection | Business Administration & Security Management | Skilled in Budget Control, Administrative Management & Security Technology
8 个月Thanks, the article is completely clear ??
Cybersecurity/Information Security Analyst | CompTIA Security+
8 个月Thank you!
"CyberSecurity/GRC Analyst | IT Risk & Compliance Specialist | PCI-DSS, SOX/GDPR, and NIST Expert | IT Audit Specialist
8 个月Education and awareness is key and I am huge on that. All employees have to be aware that these bad actors are always looking for ways for you to click on that phishing email. Be alert and on your A- Game always