PCI DSS Compliance

Description

The exponential growth of online transactions with credit and debit cards, though has facilitated the process, but has made itself susceptible to insecurity; it has opened the gateway to greater and devastating security risks. Thus emerged the need of curbing this issue with a set of security standards which is known as the PCCI DSS, the Payment Card Industry Data Security Standard (PCI DSS), created by the major credit card companies, intending to protect their customers from increasing identity theft and security breaches.
PCI DSS originally began as five different programs: Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program. Each of these companies intended to create an additional level of protection to customers, hence ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. The Payment Card Industry Security Standards Council was formed, and on the 15 December 2004, these companies aligned their individual policies and created Payment Card Industry Data Security Standard version 1.0 and further updated to 1.1 with some revisions added to it. Now, implementing PCI DSS has been made mandatory within the timeline of 2010.
Virtually all businesses, regardless of their size, need to understand the scope of PCI DSS, and ways to implement network security that is compliant with PCI DSS guidelines. In doing so, they will avoid penalties or the possibility of having their merchant status revoked and potentially being banned from accepting or processing credit cards.
AppLabs, an independent software company, is such a service provider, which is compliant with PCI DSS guidelines and satisfies the PCI DSS requirements, which include security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive st

Reviews
Shared by: AppLabs
Categories
Tags
Stats
views:
178
rating:
not rated
reviews:
0
posted:
2/11/2009
language:
English
pages:
0
White Paper PCI DSS Compliance An Overview Last Updated: 21st August, 2007 Introduction The growth of online services to facilitate ease of use for customers to purchase goods has grown exponentially over recent years. In order to make this process easier, customers generally pay for the services or goods by credit or debit card. However, improved efficiency and convenience for the consumer mean crime has also become easier and more convenient. Criminals have become more skillful having discovered that there is a significant amount of money to be acquired with very little risk and as such, credit card fraud and identity theft have become much more common place in recent years. Network infrastructures that are utilized commercially necessitate absolute security due to the sensitive personal information which they contain. Every company that accepts credit card payments, processes credit card transactions, stores credit card data, or in any other way touches personal or sensitive data associated with credit card payment processing, is affected by PCI DSS. standard a merchant or service provider has to satisfy the requirements listed below. Overview of PCI DSS Requirements PCI DSS version 1.1 comprises six control objectives which in turn contain one or more requirements covering the ambit of IT security with a mix of technical and security controls. According to PCI DSS 1.1, the scope includes the cardholder data environment only if adequate network segmentation is in place. In most cases, this implies the use of dedicated firewalls and non-routable virtual local area networks (VLANs). If you do not have such controls in place, the scope of PCI compliance validation will cover your entire network. The list below elucidates the 12 PCI requirements:  Requirement 1: Install and maintain configuration to protect cardholder data a firewall  Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters What is PCI DSS? Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that has been created by the major credit card companies (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) to protect their customers from increasing identity theft and security breaches.  Requirement 3: Protect stored cardholder data  Requirement 4: Encrypt transmission of cardholder data across open, public networks  Requirement 5: Use and regularly update anti-virus software  Requirement 6: Develop and maintain secure systems Who must comply with PCI DSS? Virtually all businesses, regardless of their size, need to understand the scope of PCI DSS and how to implement network security that is compliant with PCI DSS guidelines. In doing so, they will avoid penalties or the possibility of having their merchant status revoked and potentially being banned from accepting or processing credit cards. Any company that stores, processes or transmits cardholder data must comply with PCI DSS. Primarily, merchants and service providers should be compliant to this standard. Merchants are the companies that accept credit cards in exchange for goods or services. A service provider is any company that processes, stores, or transmits cardholder data, including companies that provide services to merchants or other service providers. To comply with this and applications  Requirement 7: Restrict access to cardholder data on a need-to-know basis  Requirement 8: Assign a unique ID to each person with computer access  Requirement 9: Restrict physical access to cardholder data  Requirement 10: Track and monitor all access to network resources and cardholder data  Requirement 11: Regularly test security systems and processes  Requirement 12: Maintain a policy that addresses information security AppLabs.com App_WhitePaper_PCI_DSS_Compliance_1v00 Page 2 © 2007 AppLabs Compliance Process Depending on the company’s merchant or service level provider, either an annual onsite PCI audit has to be conducted, or a Self-Assessment Questionnaire (SAQ) has to be filled in to validate compliance. In addition to this, results of quarterly network perimeter scans (which have to be performed by an approved scanning vendor), evidence of internal vulnerability scans and evidence of application and network penetration tests are to be shared with card brands to prove to them that the company practices sound patch management and vulnerability management processes. PCI classifies merchants and service providers based on the number of transactions that take place through their service. Table I and II below classifies different levels for a merchant and service providers. Level Level 1 Selection Criteria More than six million VISA/Mastercard transactions annually across all channels, including e-commerce Compliance  Annual onsite PCI data security assessment  Quarterly network scans Level 2 1,000,000 - 5,999,999 VISA/Mastercard transactions  Annual self-assessment annually  Quarterly network scans 20,000 - 1,000,000 VISA/Mastercard e-commerce  Annual self-assessment transactions annually  Quarterly network scans Less than 20,000 e-commerce transactions annually  Annual self-assessment and all merchants across channel up to 1,000,000  Annual network scans VISA transactions annually Level 3 Level 4 Level Level 1 Selection Criteria All VisaNet processors (member and nonmember) and all payment gateways Compliance  Annual onsite PCI data security assessment  Quarterly network scans Level 2 Any service provider that is not in Level 1 and stores,  Annual onsite PCI data security assessment processes or transmits more than 1,000,000 VISA/ Mastercard accounts/transactions annually  Quarterly network scans Any service provider that is not in Level 1 and stores,  Annual self-assessment processes or transmits fewer than 1,000,000 VISA/  Quarterly network scans Mastercard accounts/transactions annually  The Merchant or Service Provider engages with ASV to Level 3 Achieving PCI DSS Compliance It is recommended that a proactive means for merchants and service providers to meet PCI DSS compliance is by having their network perimeter scanned by an Approved Scanning Vendor (ASV) every quarter. An ASV, on request of merchant or service provider shall obtain required information, run a scan and submit a scan report clearly highlighting compliance status, network vulnerabilities and vulnerable services classified as per the scoring pattern and severities prescribed by PCI DSS. The compliance scan follows the steps highlighted below: perform the PCI DSS scanning service;  The Merchant provides ASV with information about their network perimeter. Any special requirements like exclusion or justification of specific services are taken into account as part of this step;  The ASV scans merchant’s network perimeter from a remote site using non-intrusive tests;  The ASV determines compliance based on the vulnerabilities found during the assessment. This is benchmarked against the scoring matrix provided by PCI DSS; AppLabs.com App_WhitePaper_PCI_DSS_Compliance_1v00 Page 3 © 2007 AppLabs  The ASV produces a report containing the PCI DSS  One of the benefits of PCI DSS compliance is that status of each scanned network component with recommendations to address the vulnerabilities;  The ASV and the merchant shall review the vulnerabilities together and apply suggested fixes to mitigate any perceived risk and maintain compliance to PCI DSS. the organization will not face a severe penalty if their services are breached. If the analysis after a security incident shows that the company was still compliant at the time of the incident this will be treated with leniency by the authorities;  More importantly, if your company is a Level 1 or Level Benefits of Compliance  By complying with PCI DSS, the organization has taken 2 merchant, you may be eligible to receive part of the $20 million in financial incentives from Visa;  By obtaining PCI DSS compliance status it will attract the appropriate steps to ensure that its customers and their data are secure; discounts on transaction costs from the credit card companies. AppLabs.com App_WhitePaper_PCI_DSS_Compliance_1v00 Page 4 © 2007 AppLabs

Related docs
PCI DSS Myths
Views: 99  |  Downloads: 3
PCI DSS Guidance _DSS v12_
Views: 41  |  Downloads: 7
PCI compliance tool
Views: 447  |  Downloads: 88
Shift4 Certificate of PCI DSS Compliance
Views: 0  |  Downloads: 0
PCI DSS Documentation Templates and Toolkit
Views: 384  |  Downloads: 22
PCI V2
Views: 106  |  Downloads: 8
Shift4 Certificate of PCI DSS Compliance
Views: 0  |  Downloads: 0
PCI Compliance
Views: 23  |  Downloads: 3
Facilitating PCI-DSS Compliance
Views: 465  |  Downloads: 46
QSA compliance tool
Views: 261  |  Downloads: 53
The TakeCharge PCI Program PCI DSS Payment Card Industry
Views: 20  |  Downloads: 3
pci_dss_v1-1
Views: 3  |  Downloads: 0
[finance]An Introduction to PCI DSS[11066]
Views: 2  |  Downloads: 0
premium docs
Expense Report$14.95
Cash Flow Budget Worksheet$12.00
Payroll Deduction Authorization$8.00
Yearly Expense Report$10.00
Weekly Financial Report$10.95
Receipts for Goods or Services$4.95
Travel Expense Reimbursement Form$10.00
Other docs by AppLabs
Scenario Testing Approach for Trading Systems
Views: 145  |  Downloads: 8
Approach to Cloud Testing
Views: 157  |  Downloads: 13
The Testing Approach to Stock Exchange Applications
Views: 52  |  Downloads: 3
Web Application Penetration Testing (WAPT)
Views: 159  |  Downloads: 12
AppLabs and the Test Maturity Model Integration (TMMi)
Views: 151  |  Downloads: 5
Testing in an Agile Environment
Views: 378  |  Downloads: 29
Testing the cloud
Views: 252  |  Downloads: 29
AppLabs named to ‘Global Services 100’ second time in a row
Views: 88  |  Downloads: 1
Development of Electronic Ordering System From AppLabs
Views: 102  |  Downloads: 2
Implementation of Risk Based Testing to deliver critical project From AppLabs
Views: 201  |  Downloads: 12
Test Compliance Framework for a large Insurance Organization From AppLabs
Views: 138  |  Downloads: 3
Implementation of Internet Based Retail Banking System From AppLabs
Views: 197  |  Downloads: 8
Development and Testing of Trading Platform From AppLabs
Views: 135  |  Downloads: 3
Development of Inventory Management System From AppLabs
Views: 134  |  Downloads: 3
Security Testing Solution for a Software Development Organization From AppLabs
Views: 101  |  Downloads: 1