Week 40: PCI DSS

In the last two weeks, we’ve looked at ISO 27001 as well as the CIS Controls. Today we’ll focus on the Payment Card Industry Data Security Standard (a.k.a. PCI DSS).?

(Note: This article will not help you achieve compliance, but rather provide you with a notion around the key points).

Let’s answer the first question that’s probably looming in your head, “What is PCI DSS? And who oversees its enforcement?”

Adhering to PCI implies compliance with a set of policies that aim to protect sensitive data (Don’t worry if this sounds vague, we’ll expand on this shortly). Since the early 2000s, any and all organizations that process, store, or transmit credit, debit, or even prepaid cards are expected to meet its requirements due to the surge in the number of breaches (According to this pdf from PCI, PrivacyRights.org found that between 2005 and 2018 more than 10.9 billion records were disclosed). This standard consists of 12 requirements (containing more than 300 sub-requirements) and was created by the following members – American Express, Visa, Mastercard, Discover, and JCB.?

(Note: While not a law, PCI DSS can be enforced contractually through continuous assessments and audits. You can download the latest version as well as other documents and templates related to the standard here).

What are the benefits of PCI DSS compliance?

• Enhanced safety by factoring aspects like, but not limited to, access control (incl. Multi-Factor Authentication (MFA) and data encryption whether stored or in transit, thus reducing the attack vector.?
• Complying with PCI DSS means complying with a global standard, thus increasing trust amongst customers.
• Reduction of potential costs that be incurred from a potential and materialized risk.
• While complying with this standard, you’ll also be meeting requirements like ISO 27001 and GDPR.

What are the common challenges around PCI compliance?

• It’s quite technical.?
• Organizations, frequently, struggle to identify which systems deal with cardholder data.?
• Ensuring third-party compliance is a challenge.
• Adequately completing the corresponding SAQ (Defined below) can be a daunting task.

Now let’s circle back to the question, “What is sensitive data according to PCI DSS?”

PCI DSS distinguishes this into the following:

Cardholder data:

• Primary Account Number (PAN): This is, usually, 16 digits. It is a unique number that identifies the issuer and the cardholder’s account.?
• Full name: This refers to the cardholder’s name.?
• Expiration date: This states the month and the year the card will expire in.
• Service code: PCI defines this as, “Three-digit or four-digit value in the magnetic-stripe that follows the expiration date of the payment card on the track data. It is used for various things, such as defining service attributes, differentiating between international and national interchange, or identifying usage restrictions.”

Sensitive Authentication Data (SAD):

• Full track data: This refers to the data within the card’s magnetic stripe or the chip.?
• Card verification code: This can sometimes be referred to as CAV2, CVC2, CVN2, CVV2, or CID. This can be a 3 or 4-digit security code, usually printed on the card, and is required for online purchases.?
• Personal Identification Number (PIN): This refers to the unique 4-digit number that allows withdrawals and/ or other operations at an ATM.?

(Note: Under PCI DSS it is not permitted to store SAD (even if encrypted) after authorization).

What is the first thing I need to know about PCI DSS compliance?

(Note: It’s important that you familiarize yourself with concepts/ acronyms like Report on Compliance (or ROC, which is a tool used to document an entity’s result and needs to be completed by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA). A QSA company is a qualified PCI body to ensure that the organization in question is adhering to the requirements set forth by the standard. An ISA also needs to be recognized by PCI but is an internal assessor within the organization that needs to be “assessed”.), Self-Assesment Questionnaire (or SAQ, which is another tool to document an entity’s result but is signed by an officer from within the organization) and Approved Scanning Vendor (ASV who is responsible for conducting an external vulnerability scan. You can find the list of ASVs here).

There are 4 levels of PCI compliance based on the number of card transactions processed (Figure 2).

(Note: The SAQ or ROC should be completed once a year or when significant changes occur. You can find more information about these here).?

So, What are the different types of SAQs?

A

Card-not-present merchants (e-commerce or mail/telephone-order) that completely outsource all account data functions to PCI DSS validated and compliant third parties. No electronic storage, processing, or transmission of account data on their systems or premises.?

Not applicable to face-to-face channels. Not applicable to service providers.

A-EP

E-commerce merchants that partially outsource payment processing to PCI DSS validated and compliant third parties, and with a website(s) that does not itself receive account data but which does affect the security of the payment transaction and/or the integrity of the page that accepts the customer’s account data. No electronic storage, processing, or transmission of account data on the merchant’s systems or premises.?

Applicable only to e-commerce channels. Not applicable to service providers.

B

Merchants using only:?

• Imprint machines with no electronic account data storage, and/or?
• Standalone, dial-out terminals with no electronic account data storage.?

Not applicable to e-commerce channels. Not applicable to service providers.

B-IP

Merchants using only standalone, PCI-listed approved PIN Transaction Security (PTS) point-of-interaction (POI) devices with an IP connection to the payment processor. No electronic account data storage.?

Not applicable to e-commerce channels. Not applicable to service providers.

C-VT

Merchants who manually enter payment account data a single transaction at a time via a keyboard into a PCI DSS validated and compliant third-party virtual payment terminal solution, with an isolated computing device and a securely connected web browser. No electronic account data storage.?

Not applicable to e-commerce channels. Not applicable to service providers.

C

Merchants with payment application systems connected to the Internet, no electronic account data storage.?

Not applicable to e-commerce channels. Not applicable to service providers.

P2PE

Merchants using only a validated, PCI-listed Point-to-Point Encryption (P2PE) solution. No access to clear-text account data and no electronic account data storage.?

Not applicable to e-commerce channels. Not applicable to service providers.

SPoC

Merchants using a commercial off-the-shelf mobile device (for example, a phone or tablet) with a secure card reader included on PCI SSC’s list of validated SPoC Solutions. No access to clear-text account data and no electronic account data storage.?

Not applicable to unattended card-present, mail-order/telephone order (MOTO), or e-commerce channels.?

Not applicable to service providers.

D

SAQ D for Merchants: Merchants not included in descriptions for the above SAQ types. Not applicable to service providers.

SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete an SAQ.

What are the 12 PCI DSS requirements?

1. Install and maintain Network Security Controls (NSC): NSCs are policy enforcement points that control internal (incl. between segments between networks or subnets) and external traffic based on previously defined rules. Examples include VPNs and firewalls. This requirement mandates that services, protocols, and/ or ports that allow ingress traffic should be identified and approved.?
2. Apply secure configuration to all system components: This requirement mandates reviewing and, if necessary, changing default configurations like passwords. Additionally, it suggests terminating or removing any software, account, or function deemed unnecessary.?
3. Protect stored account data: Organizations, under this requirement, must encrypt stored cardholder data against unauthorized access. Other recommendations for protecting information include data masking and data hashing.?
4. Protect cardholder data with strong cryptography during transmission over open, public networks: This requirement emphasizes the need for cryptography to protect the confidentiality and integrity of data in transit.?
5. Protect all systems and networks from malicious software: This requirement highlights the need to ensure that the anti-malware software is regularly updated and used where possible to reduce the risk of a potential compromise.?
6. Develop and maintain secure systems and software: This requirement highlights the GDPR principle of security by design. It insists on factoring security during the early development stages and the importance of maintaining (incl. updating) systems as well as applications. This can reduce the likelihood of cyber threat actors (CTAs) exploiting vulnerabilities.?
7. Restrict access to system components and cardholder data by business need to know: This requirement is key to prevent unauthorized access. It emphasizes the principle of least privilege. In other words, only required individuals should access cardholder data.
8. Identify users and authenticate access to system components: This requirement revolves around the need to assign unique IDs and strong credentials to authenticate users to ensure that only authorized individuals can access sensitive cardholder data. This requirement also strongly recommends the use of MFA where possible.?
9. Restrict physical access to cardholder data: This requirement revolves around the importance of physical security. It talks about maintaining an access log and installing surveillance equipment.
10. Log and monitor all access to system components and cardholder data: One reason why organizations fail audits and/ or assessments is because they fail to keep an adequate record of who and when sensitive information was accessed. In a nutshell, this requirement states that time stamps should be used. The logs should then be sent to a central server for further analysis.?
11. Test security of systems and networks regularly: This requirement mandates vulnerability assessments and penetration testing to identify and tackle gaps that might be exploited by CTAs.?
12. Support information security with organizational policies and programs: This requirement mandates the need for a policy that establishes the rules for protecting cardholder data and to ensure that the employees have received the documented copy, and are trained and adhere to them. This should be reviewed on an annual basis.?

I heard that PCI DSS v4.0 came with the option of a customized approach. What does that mean?

To get a better understanding of what the defined and customized approach as well as compensating controls are, we recommend you read the following articles from PCI:

• PCI DSS v4.0: Compensating Controls vs Customized Approach.?
• PCI DSS v4.0: Is the Customized Approach Right For Your Organization?

(Note: You can learn more about the changes between PCI DSS Version 3.2.1 to 4.0 here).

So, what are the penalties for non-compliance?

To reiterate, PCI DSS is not a law. It can be enforced via contracts between merchants, acquiring banks (entities that process card transactions for merchants), and the different payment brands. Payment brands can fine the acquiring banks for violations and the banks, in turn, can choose not to work with those merchants. Fines for non-compliance can range between $5000 to $100,000 per month. It’s important to remember that cardholder data breach or theft can also penalized under GDPR, where the fines can go up to €20 million or 4% of annual global turnover.?

(Note: For more information regarding fines and most common violations, please read this article).

(Note: You can find the PCI DSS glossary here).?

Next week’s article will deal with Security and Legacy Systems.?

This article is part of a project called Security Chronicles, written jointly with Walter Buyu .

Sources:

• What’s the history of PCI DSS?
• What is PCI Compliance? 12 Requirements & More.
• What is PCI DSS compliance | PCI DSS definition.
• PCI SSC Glossary.
• PCI DSS | What It Is and How to Comply.
• Benefits and Challenges of PCI DSS in 2024.
• PCI – Frequently Asked Question.
• PCI-DSS fines and violations explained.
• PCI SAQs: Which Self-Assessment Questionnaire is Right for Your Business?
• Payment Card Industry Data Security Standard: Self-Assessment Questionnaire Instructions and Guidelines Version 4.0.
• PCI DSS Compliance: 12 Requirements (V4.0).
• What is PCI DSS? Overview, Requirements, and Benefits.
• ROC vs SAQ.