Payment Card Industry Data Security Standard

Last updated

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by the card brands. It was created to better control cardholder data and reduce credit card fraud. Validation of compliance is performed annually or quarterly with a method suited to the volume of transactions: [1]

Contents

History

The major card brands had five different security programs:

The intentions of each were roughly similar: to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process, and transmit cardholder data. To address interoperability problems among the existing standards, the combined effort by the principal credit-card organizations resulted in the release of version 1.0 of PCI DSS in December 2004.[ citation needed ] PCI DSS has been implemented and followed worldwide.

The Payment Card Industry Security Standards Council (PCI SSC) was then formed, and these companies aligned their policies to create the PCI DSS. [2] MasterCard, American Express, Visa, JCB International and Discover Financial Services established the PCI SSC in September 2006 as an administrative and governing entity which mandates the evolution and development of the PCI DSS. [3] Independent private organizations can participate in PCI development after they register. Each participating organization joins a SIG (Special Interest Group) and contributes to activities mandated by the group. The following versions of the PCI DSS have been made available: [4]

VersionDateNotes
1.0December 15, 2004
1.1September 2006clarification and minor revisions
1.2October 2008enhanced clarity, improved flexibility, and addressed evolving risks and threats
1.2.1July 2009minor corrections designed to create more clarity and consistency among the standards and supporting documents
2.0October 2010
3.0November 2013active from January 1, 2014 to June 30, 2015
3.1April 2015retired since October 31, 2016
3.2April 2016retired since December 31, 2018
3.2.1May 2018retired since March 31, 2024
4.0March 2022updated firewall terminology, expansion of Requirement 8 to implement multi-factor authentication (MFA), increased flexibility to demonstrate security, and targeted risk analyses to establish risk exposure operation and management [5]

Requirements

The PCI DSS has twelve requirements for compliance, organized into six related groups known as control objectives: [6]

  1. Build and maintain a secure network and systems
  2. Protect cardholder data
  3. Maintain a vulnerability management program
  4. Implement strong access-control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy

Each PCI DSS version has divided these six requirement groups differently, but the twelve requirements have not changed since the inception of the standard. Each requirement and sub-requirement is divided into three sections:

  1. PCI DSS requirements: Define the requirement. The PCI DSS endorsement is made when the requirement is implemented.
  2. Testing: The processes and methodologies carried out by the assessor for the confirmation of proper implementation.
  3. Guidance: Explains the purpose of the requirement and the corresponding content, which can assist in its proper definition.

In version 3.2.1 of the PCI DSS, the twelve requirements are:

  1. Install and maintain a firewall system to protect cardholder data.
  2. Avoid vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data on open, public networks.
  5. Protect all systems against malware, and update anti-virus software or programs.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need to know.
  8. Identify and authenticate access to system components.
  9. Restrict physical access to cardholder data.
  10. Track and monitor access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain an information security policy which addresses information security for all personnel.

Updates and supplemental information

The PCI SSC (Payment Card Industry Security Standards Council) has released supplemental information to clarify requirements, which includes:

Reporting levels

Companies subject to PCI DSS standards must be PCI-compliant; how they prove and report their compliance is based on their annual number of transactions and how the transactions are processed. An acquirer or payment brand may manually place an organization into a reporting level at its discretion. [9] Merchant levels are:

Each card issuer maintains a table of compliance levels and a table for service providers. [10] [11]

Compliance validation

Compliance validation involves the evaluation and confirmation that the security controls and procedures have been implemented according to the PCI DSS. Validation occurs through an annual assessment, either by an external entity, or by self-assessment. [12]

Report on Compliance

A Report on Compliance (ROC) is conducted by a PCI Qualified Security Assessor (QSA) and is intended to provide independent validation of an entity's compliance with the PCI DSS standard. A completed ROC results in two documents: a ROC Reporting Template populated with detailed explanation of the testing completed, and an Attestation of Compliance (AOC) documenting that a ROC has been completed and the overall conclusion of the ROC.

Self-Assessment Questionnaire

The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool intended for small to medium sized merchants and service providers to assess their own PCI DSS compliance status. There are multiple types of SAQ, each with a different length depending on the entity type and payment model used. Each SAQ question has a yes-or-no answer, and any "no" response requires the entity to indicate its future implementation. As with ROCs, an attestation of compliance (AOC) based on the SAQ is also completed.

Security Assessors

The PCI Security Standards Council maintains a program to certify companies and individuals to perform assessment activities.

Qualified Security Assessor

A Qualified Security Assessor (QSA) is an individual certified by the PCI Security Standards Council to validate another entity's PCI DSS compliance. QSAs must be employed and sponsored by a QSA Company, which also must be certified by the PCI Security Standards Council. [13] [14]

Internal Security Assessor

An Internal Security Assessor (ISA) is an individual who has earned a certificate from the PCI Security Standards Council for their sponsoring organization, and can conduct PCI self-assessments for their organization. The ISA program was designed to help Level 2 merchants meet Mastercard compliance validation requirements. [15] ISA certification empowers an individual to conduct an appraisal of his or her association and propose security solutions and controls for PCI DSS compliance. ISAs are in charge of cooperation and participation with QSAs. [12]

Compliance versus validation of compliance

Although the PCI DSS must be implemented by all entities which process, store or transmit cardholder data, formal validation of PCI DSS compliance is not mandatory for all entities. Visa and Mastercard require merchants and service providers to be validated according to the PCI DSS; Visa also offers a Technology Innovation Program (TIP), an alternative program which allows qualified merchants to discontinue the annual PCI DSS validation assessment. Merchants are eligible if they take alternative precautions against fraud, such as the use of EMV or point-to-point encryption.

Issuing banks are not required to undergo PCI DSS validation, although they must secure sensitive data in a PCI DSS-compliant manner. Acquiring banks must comply with PCI DSS and have their compliance validated with an audit. In a security breach, any compromised entity which was not PCI DSS-compliant at the time of the breach may be subject to additional penalties (such as fines) from card brands or acquiring banks.

Legislation in the United States

Compliance with PCI DSS is not required by federal law in the United States, but the laws of some states refer to PCI DSS directly or make equivalent provisions. Legal scholars Edward Morse and Vasant Raval have said that by enshrining PCI DSS compliance in legislation, card networks reallocated the cost of fraud from card issuers to merchants. [16] In 2007, Minnesota enacted a law prohibiting the retention of some types of payment-card data more than 48 hours after authorization of a transaction. [17] [18] Nevada incorporated the standard into state law two years later, requiring compliance by merchants doing business in that state with the current PCI DSS and shielding compliant entities from liability. The Nevada law also allows merchants to avoid liability by other approved security standards. [19] [16] In 2010, Washington also incorporated the standard into state law. Unlike Nevada's law, entities are not required to be PCI DSS-compliant; however, compliant entities are shielded from liability in the event of a data breach. [20] [16]

Controversy and criticism

Visa and Mastercard impose fines for non-compliance. Stephen and Theodora "Cissy" McComb, owners of Cisero's Ristorante and Nightclub in Park City, Utah, were fined for a breach for which two forensics firms could not find evidence:

The McCombs assert that the PCI system is less a system for securing customer card data than a system for raking in profits for the card companies via fines and penalties. Visa and MasterCard impose fines on merchants even when there is no fraud loss at all, simply because the fines are "profitable to them," the McCombs say. [21]

Michael Jones, CIO of Michaels, testified before a U.S. Congressional subcommittee about the PCI DSS:

[The PCI DSS requirements] are very expensive to implement, confusing to comply with, and ultimately subjective, both in their interpretation and in their enforcement. It is often stated that there are only twelve "Requirements" for PCI compliance. In fact there are over 220 sub-requirements; some of which can place an incredible burden on a retailer and many of which are subject to interpretation. [22]

The PCI DSS may compel businesses pay more attention to IT security, even if minimum standards are not enough to eradicate security problems. Bruce Schneier spoke in favor of the standard:

Regulation—SOX, HIPAA, GLBA, the credit-card industry's PCI, the various disclosure laws, the European Data Protection Act, whatever—has been the best stick the industry has found to beat companies over the head with. And it works. Regulation forces companies to take security more seriously, and sells more products and services. [23]

PCI Council general manager Bob Russo responded to objections by the National Retail Federation:

[PCI is a structured] blend ... [of] specificity and high-level concepts [that allows] stakeholders the opportunity and flexibility to work with Qualified Security Assessors (QSAs) to determine appropriate security controls within their environment that meet the intent of the PCI standards. [24]

Visa chief enterprise risk officer Ellen Richey said in 2018, "No compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach". [25] However, a 2008 breach of Heartland Payment Systems (validated as PCI DSS-compliant) resulted in the compromising of one hundred million card numbers. Around that time, Hannaford Brothers and TJX Companies (also validated as PCI DSS-compliant) were similarly breached as a result of the allegedly-coordinated efforts of Albert Gonzalez and two unnamed Russian hackers. [26]

Assessments examine the compliance of merchants and service providers with the PCI DSS at a specific point in time, frequently using sampling to allow compliance to be demonstrated with representative systems and processes. It is the responsibility of the merchant and service provider to achieve, demonstrate, and maintain compliance throughout the annual validation-and-assessment cycle across all systems and processes. A breakdown in merchant and service-provider compliance with the written standard may have been responsible for the breaches; Hannaford Brothers received its PCI DSS compliance validation one day after it had been made aware of a two-month-long compromise of its internal systems.

Compliance validation is required only for level 1 to 3 merchants and may be optional for Level 4, depending on the card brand and acquirer. According to Visa's compliance validation details for merchants, level-4 merchant compliance-validation requirements ("Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually") are set by the acquirer. Over 80 percent of payment-card compromises between 2005 and 2007 affected level-4 merchants, who handled 32 percent of all such transactions.[ citation needed ]

See also

Related Research Articles

<span class="mw-page-title-main">Tokenization (data security)</span> Concept in data security

Tokenization, when applied to data security, is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no intrinsic or exploitable meaning or value. The token is a reference that maps back to the sensitive data through a tokenization system. The mapping from original data to a token uses methods that render tokens infeasible to reverse in the absence of the tokenization system, for example using tokens created from random numbers. A one-way cryptographic function is used to convert the original data into tokens, making it difficult to recreate the original data without obtaining entry to the tokenization system's resources. To deliver such services, the system maintains a vault database of tokens that are connected to the corresponding sensitive data. Protecting the system vault is vital to the system, and improved processes must be put in place to offer database integrity and physical security.

<span class="mw-page-title-main">EMV</span> Smart payment card standard

EMV is a payment method based on a technical standard for smart payment cards and for payment terminals and automated teller machines which can accept them. EMV stands for "Europay, Mastercard, and Visa", the three companies that created the standard.

The Cardholder Information Security Program (CISP) was a program established by Visa USA in 2001 to ensure the security of cardholder information as it is being processed and stored by merchants and service providers.

Secure Electronic Transaction (SET) is a communications protocol standard for securing credit card transactions over networks, specifically, the Internet. SET was not itself a payment system, but rather a set of security protocols and formats that enabled users to employ the existing credit card payment infrastructure on an open network in a secure fashion. However, it failed to gain attraction in the market. Visa now promotes the 3-D Secure scheme.

3-D Secure is a protocol designed to be an additional security layer for online credit and debit card transactions. The name refers to the "three domains" which interact using the protocol: the merchant/acquirer domain, the issuer domain, and the interoperability domain.

An acquiring bank is a bank or financial institution that processes credit or debit card payments on behalf of a merchant. The acquirer allows merchants to accept credit card payments from the card-issuing banks within a card association, such as Visa, MasterCard, Discover, China UnionPay, American Express.

Heartland Payment Systems, Inc. is a U.S.-based payment processing and technology provider. Founded in 1997, Heartland Payment Systems' last headquarters were in Princeton, New Jersey. An acquisition by Global Payments, expected to be worth $3.8 billion or $4.3 billion was finalized on April 25, 2016.

The payment card industry (PCI) denotes the debit, credit, prepaid, e-purse, ATM, and POS cards and associated businesses.

The Payment Card Industry Security Standards Council was formed by American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc. on September 7, 2006, with the goal of managing the ongoing evolution of the Payment Card Industry Data Security Standard.

A payment card number, primary account number (PAN), or simply a card number, is the card identifier found on payment cards, such as credit cards and debit cards, as well as stored-value cards, gift cards and other similar cards. In some situations the card number is referred to as a bank card number. The card number is primarily a card identifier and may not directly identify the bank account number/s to which the card is/are linked by the issuing entity. The card number prefix identifies the issuer of the card, and the digits that follow are used by the issuing entity to identify the cardholder as a customer and which is then associated by the issuing entity with the customer's designated bank accounts. In the case of stored-value type cards, the association with a particular customer is only made if the prepaid card is reloadable. Card numbers are allocated in accordance with ISO/IEC 7812. The card number is typically embossed on the front of a payment card, and is encoded on the magnetic stripe and chip, but may also be imprinted on the back of the card.

<span class="mw-page-title-main">Credit card fraud</span> Financial crime

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

Qualified Security Assessor (QSA) is a designation conferred by the PCI Security Standards Council to those individuals that meet specific information security education requirements, have taken the appropriate training from the PCI Security Standards Council, are employees of a Qualified Security Assessor (QSA) company approved PCI security and auditing firm, and will be performing PCI compliance assessments as they relate to the protection of credit card data.

The Payment Application Data Security Standard (PA-DSS) is the global security standard created by the Payment Card Industry Security Standards Council. PA-DSS was implemented in an effort to provide the definitive data standard for software vendors that develop payment applications. The standard aimed to prevent developed payment applications for third parties from storing prohibited secure data including magnetic stripe, CVV2, or PIN. In that process, the standard also dictates that software vendors develop payment applications that are compliant with the Payment Card Industry Data Security Standards.

Card schemes are payment networks linked to payment cards, such as debit or credit cards, of which a bank or any other eligible financial institution can become a member. By becoming a member of the scheme, the member then gets the possibility to issue cards or acquire merchants operating on the network of that card scheme. UnionPay, Visa and MasterCard are three of the largest global brands, known as card schemes, or card brands. Billions of transactions go through their cards on a yearly basis.

<span class="mw-page-title-main">Card security code</span> Security feature on payment cards

A card security code is a series of numbers that, in addition to the bank card number, is printed on a credit or debit card. The CSC is used as a security feature for card not present transactions, where a personal identification number (PIN) cannot be manually entered by the cardholder. It was instituted to reduce the incidence of credit card fraud.

Ukrainian Processing Center is a Ukrainian company founded in 1997 which provides processing services and software for banks. UPC was the first Ukrainian company within the sphere of processing that received MSP and TPP status in Visa and Mastercard. In April 1997 UPC processed the first ATM EC/MC card transaction. Since 2005 UPC has become part of the Raiffeisen Bank International. The head office of UPC is based in Kyiv. Ukrainian Processing Center provides services to banks in Central and East Europe in the sphere of processing payment cards, merchant acquiring and ATM channel management. UPC also offers integrated IT systems for electronic commerce, card transactions monitoring systems of fraud prevention, card issuing system and SMS banking service. Moreover, UPC was the initiator of the establishment of the united ATM network "ATMoSphere", which consists of payment cards issuing banks. Annually UPC processes more than 400 million of payment card transactions.

Point-to-point encryption (P2PE) is a standard established by the PCI Security Standards Council. Payment solutions that offer similar encryption but do not meet the P2PE standard are referred to as end-to-end encryption (E2EE) solutions. The objective of P2PE and E2EE is to provide a payment security solution that instantaneously converts confidential payment card data and information into indecipherable code at the time the card is swiped, in order to prevent hacking and fraud. It is designed to maximize the security of payment card transactions in an increasingly complex regulatory environment.

iVeri is a payments technology company based in Johannesburg, South Africa. Established in 1998, it is South Africa's largest technology provider for both physical and mobile commerce.

Internal Security Assessor (ISA) is a designation given by the PCI Security Standards Council to eligible internal security audit professionals working for a qualifying organization. The intent of this qualification is for these individuals to receive PCI DSS training so that their qualifying organization has a better understanding of PCI DSS and how it impacts their company. Becoming an ISA can improve the relationship with Qualified Security Assessors and support the consistent and proper application of PCI DSS measures and controls within the organization. The PCI SSC's public website can be used to verify ISA employees.

The Four Corners model, often referred to as the Four Party Scheme is the most used card scheme in card payment systems worldwide. This model was introduced in the 1990s. It is a user-friendly card payment system based on an interbank clearing system and economic model established on multilateral interchange fees (MIF) paid between banks or other payment institutions.

References

  1. "Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2.1 May 2018" (PDF). PCI Security Standards Council, LLC. Archived (PDF) from the original on September 1, 2018. Retrieved September 4, 2018.
  2. Liu, Jing; Xiao, Yang; Chen, Hui; Ozdemir, Suat; Dodle, Srinivas; Singh, Vikas (2010). "A Survey of Payment Card Industry Data Security Standard". IEEE Communications Surveys & Tutorials. 12 (3): 287–303. doi:10.1109/SURV.2010.031810.00083. S2CID   18117838.
  3. "About Us". PCI Security Standards Council. Archived from the original on April 2, 2022. Retrieved December 15, 2022.
  4. "Document Library". PCI Security Standards Council. Archived from the original on November 7, 2020. Retrieved November 12, 2020.
  5. "Securing the Future of Payments: PCI SSC Publishes PCI Data Security Standard v4.0". PCI Security Standards Council. March 31, 2022. Archived from the original on April 9, 2022. Retrieved April 8, 2022.
  6. "PCI DSS Quick Reference Guide" (PDF). Archived (PDF) from the original on November 12, 2020. Retrieved November 12, 2020.
  7. "Information Supplement: PCI DSS Wireless Guidelines" (PDF). August 26, 2011. Archived (PDF) from the original on October 31, 2018. Retrieved August 8, 2018.
  8. "PCI DSS v4.0 Resource Hub". Archived from the original on March 23, 2023. Retrieved March 24, 2023.
  9. "Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards". www.pcisecuritystandards.org. Archived from the original on September 2, 2019. Retrieved February 21, 2007.
  10. "Visa in Europe". Archived from the original on February 9, 2019. Retrieved February 8, 2019.
  11. "Things Merchants Need to Know | Process Payment Data & Secured Transactions | Mastercard". www.mastercard.us. Archived from the original on February 9, 2019. Retrieved February 8, 2019.
  12. 1 2 PCI Security Standards Council. "Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2" (PDF). PCI Security Standards Council, LLC. Archived from the original on July 19, 2023. Retrieved September 4, 2018.
  13. "Qualified Security Assessors". PCI Security Standards Council. Archived from the original on May 18, 2023. Retrieved May 18, 2023.
  14. "Qualification Requirements for Qualified Security Assessors (QSA)" (PDF). PCI Security Standards Council.
  15. "Avoid Paying For PCI Certification You Don't Need". FierceRetail. May 12, 2010. Archived from the original on May 17, 2022. Retrieved March 26, 2018.
  16. 1 2 3 Edward A. Morse; Vasant Raval, Private Ordering in Light of the Law: Achieving Consumer Protection through Payment Card Security Measures Archived August 6, 2020, at the Wayback Machine DePaul Business & Commercial Law Journal 10, no. 2 (Winter 2012): 213-266
  17. James T. Graves, Minnesota's PCI Law: A Small Step on the Path to a Statutory Duty of Data Security Due Care' Archived August 6, 2020, at the Wayback Machine William Mitchell Law Review 34, no. 3 (2008): 1115-1146
  18. "MINN. STAT. § 325E.64". Archived from the original on October 10, 2019. Retrieved October 10, 2019.
  19. "NEV. REV. STAT. § 603A.215". Archived from the original on October 1, 2019. Retrieved October 10, 2019.
  20. "2010 Wash. Sess. Laws 1055, § 3" (PDF). Archived (PDF) from the original on July 28, 2019. Retrieved October 10, 2019.
  21. Zetter, Kim (January 11, 2012). "Rare Legal Fight Takes on Credit Card Company Security Standards and Fines". Wired. Retrieved March 30, 2019.
  22. "Do the Payment Card Industry Data Standards Reduce Cybercrime? A Hearing before the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the Committee on Homeland Security, House of Representatives, One Hundred Eleventh Congress, First Session, March 31, 2009". GPO. March 31, 2009. Archived from the original on March 30, 2019. Retrieved March 30, 2019.{{cite journal}}: Cite journal requires |journal= (help)
  23. "Bruce Schneier Reflects on a Decade of Security Trends". Schneier on Security. January 15, 2008. Archived from the original on March 3, 2019. Retrieved March 8, 2019.
  24. "Can PCI Compliance be Harmful to Your Security Initiative?". www.brighttalk.com. Archived from the original on April 18, 2021. Retrieved October 9, 2020.
  25. Vijayan, Jaikumar (March 19, 2009). "Post-breach criticism of PCI security standard misplaced, Visa exec says". Computerworld. Archived from the original on September 4, 2018. Retrieved September 4, 2018.
  26. Salim, Hamid M. (2014). Cyber safety: systems thinking and systems theory approach to managing cyber security risks (Thesis thesis). Massachusetts Institute of Technology. hdl:1721.1/90804. Archived from the original on April 18, 2021. Retrieved October 8, 2020.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.