Understanding PCI Compliance. Part 1

15 March 2013
By Roman Denisenko, Senior QA

With five years’ experience in IT I have often found that clients misunderstand the importance of product security testing in software development. Nowadays the market offers users lots of interesting, elaborate, and useful web and mobile applications. And every day more and more stuff becomes available. But how many suppliers even seriously think about the security of their products? And how many of them have already been hacked? The consequences of such carelessness are obvious: the lawsuits, loss of customers, and potentially even closure of their business. There are lots of security standards for web applications. Some of them are just recommendations, others are absolutely necessary. Undoubtedly, all of them have one aim – to defend products from unauthorized attacks. It’s important to reduce the risks caused by application creators’ reckless practices

Over the next several posts I would like to raise the issue of the most important mandatory standards for all companies who operate with the Payment Card Industry. I’d like to talk about PCI DSS.

What is the PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 detailed requirements for card issuing organizations, providers of fee-based services, and to other companies who store, process, or transmit cardholders’ data. PCI DSS was formulated by the PCI Security Standards Council which was founded by five global brands: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

Should my product conform to the PCI DSS and satisfy all its requirements?

In cases where the primary account number (PAN) is involved in financial operations with an application (storing, processing or transmitting) this product should conform to the PCI DSS. Otherwise, these requirements do not apply.

So, first of all, check if the PAN used.

  • If you are the owner of an on-line shop (“to Papua New Guinea for 20 USD!”, “50% off on our fall/winter collection of Alpaca wool slippers!”) and your clients have the option to pay by credit card. Then – YES! Check your product conforms to PCI DSS!
  • If your banks’ customers use internet banking, YES! Check it, before giving them that service!

These are just two examples, but they may vary. It’s better to foresee troubles and check for compliance before launching a product to market. All financial institutions, credit card companies, and merchants must comply with PCI standards if their clients use credit cards for transactions.

The amount of necessary actions is directly connected with the amount of payment card transactions that an application performs during one year (It should be noted, the requirements may vary depending on card brand: AMES, MasterCard, VISA etc.):

  • More than 6 million transactions: merchant must perform the following actions:
    • Annually perform on-site assessments by a Qualified Security Assessor (QSA)
    • Quarterly perform a network scan by an Approved Scanning Vendor (ASV)
  • Less than 6 million transactions: merchant must perform the following actions:
    • Annually complete a Self-Assessment Questionnaire (SAQ)
    • Quarterly perform a network scan by an Approved Scanning Vendor (ASV)

Detailed information about the 12 requirements will be published in the next two posts. For now you can evaluate for yourself which points should be paid most attention to by your company.

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open public networks
  5. Use and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need to know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

We’ll briefly discuss the first 6 points in the next post about PCI compliance. Be safe and careful – your clients’ data is your responsibility.

Dictionary

QSA – organization that have been qualified by the Council to have their employees assess compliance with the PCI DSS standard.

ASV – organization that validates adherence to certain PCI DSS requirements by performing vulnerability scans of Internet facing environments of merchants and service providers.

SAQ – a validation tool which includes a series of yes-or-no questions about your security policies and practices. The SAQ is completed by merchants themselves.

See also:

Understanding PCI Compliance. Part 2
Understanding PCI Compliance. Part 3


Add Comment

Name Mail Website Comment