PCI DSS v4 training ChinaSVITI

PCI DSS v.4.0.1 Training Shenzhen

/in ,
PCI DSS v4 training China
This course provides a comprehensive overview and practical guidance on the Payment Card Industry Data Security Standard (PCI DSS). Through detailed requirement breakdowns, real-world case studies, and hands-on implementation strategies, it equips you to fully understand PCI DSS requirements, implement the latest controls, and address key updates in the standard. The training supports successful compliance validation and enhances your organization’s data security posture.

Course Content

  • ✔ Introduction to Payment Card Basics and PCI DSS Terminology

  • ✔ Overview of PCI DSS Concepts and Related Organizations

  • ✔ Comprehensive Analysis of the PCI DSS Compliance Validation Process

  • ✔ In-depth Examination of PCI DSS Security Domains

  • ✔ Operational Requirements for PCI DSS (Networks, Systems, Databases, Access Control, Development, and Management)

  • ✔ Detailed Interpretation of PCI DSS v4.0/v4.0.1 Requirements

  • ✔ Key Controls and Requirements for Implementation Before March 31, 2025

  • ✔ Ongoing Activities and Best Practices for Maintaining Compliance

Target Audience

    • 📌 Information security professionals interested in payment card processes

    • 📌 Individuals exploring PCI DSS requirements or involved in preparing for compliance validation

    • 📌 Managers and operational staff responsible for credit card or payment service planning

    • 📌 Personnel responsible for securing IT systems or network environments

    • 📌 Risk management, security audit, and compliance professionals

📅 Date: 2025-02-17~18 (Two Days) 9:30 AM ~ 5:00 PM

📍 Venue: Hong Feng Grand Hotel, 3F, Chun Man Yuan

PCI DSS v4 training registration wechat code

Course Fee: 6,000 RMB

SVITI PCI DSS Clients Enjoy 15% Discount

(Each SVITI client is entitled to 2 free spots)

 

Exclusive seats for client are limited.
Please scan the QR code via WeChat to register!
【Personal Data Notice】
  • To register, please log in to WeChat and fill in your personal information. Reminder notifications will be sent before the event. The organizer reserves the right to review registration eligibility based on the completeness and authenticity of the provided information. Unsuccessful registrants will not be notified separately.
  • This event uses an online registration and review system only. Phone registrations are not accepted. Seats are limited and available on a first-come, first-served basis.
  • Seating is on a first-come, first-served basis on the day of the event. Lunch, coffee, tea, alcoholic beverages, and afternoon tea will be provided for both days. Please arrive on time as late arrivals will not be accommodated.
  • During the event, there will be personnel recording the event for promotional purposes. The recordings may be used for marketing after the event concludes.
  • The organizer reserves the right to adjust, modify, change, provide the final explanation, or cancel the event. Any changes will be updated on the official event page, and no further notifications will be provided.
PCI DSS v4.0

Who need PCI DSS Compliance?

/in

Service Provider & Merchant 

Any organization that stores, processes, or transmits cardholder data is required to comply with PCI DSS Standards. Depending on how an organization handles cardholder data, they are categorized into different types and levels.

PCI DSS

Service Provider 

“Service Provider” as defined by PCI DSS is an organization providing services that involve transmitting, processing, or storing payment cardholder data on behalf of merchants or other service providers.

This includes entities offering payment processing services, wallet providers, platforms integrating various payment channels, online marketplaces, and others impact security of cardholder data.

Additionally, data centers providing virtual hosting services and cloud service providers are not directly involved in transaction services; maybe impact cardholder data security to some extent and are also classified as service providers.

Unlike merchants, service providers are categorized into two levels. Using VISA as an example, the classification and compliance requirements are detailed as follows:

Level 1:

  • ● Processes over 300,000 transactions annually.
  • ● Annual on-site assessment by a QSA with submission of a Report on Compliance (ROC).
  • ● Submission of an Attestation of Compliance (AOC).
  • ● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV).

Level 2:

  • ● Processes less 300,000 transactions annually.
  • ● Annual submission of a Self-Assessment Questionnaire (SAQ).
  • ● Submission of an Attestation of Compliance (AOC).
  • ● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV).
PCI DSS Service Provider Level

Merchant

Level 1:

  • ● Processes over 6 million transactions annually.
  • ● Annual on-site assessment by a QSA with submission of a Report on Compliance (ROC).
  • ● Submission of an Attestation of Compliance (AOC).
  • ● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV).

Level 2:

  • ● Processes between 1 million and 6 million transactions annually.
  • ● Annual submission of a Self-Assessment Questionnaire (SAQ).
  • ● Submission of an Attestation of Compliance (AOC).
  • ● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV).

Level 3:

  • ● Processes between 20,000 and 1 million transactions annually.
  • ● Annual submission of a Self-Assessment Questionnaire (SAQ).
  • ● Submission of an Attestation of Compliance (AOC).
  • ● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV).

Level 4:

  • ● Processes up to 20,000 transactions annually.
  • ● Annual submission of a Self-Assessment Questionnaire (SAQ).
  • ● Submission of an Attestation of Compliance (AOC).
  • Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV) (optional).

For more details, refer to the VISA website
https://usa.visa.com/support/small-business/security-compliance.html
https://usa.visa.com/partner-with-us/pci-dss-compliance-information.html

Mastercard PCI DSS Level 2 Merchant change

In addition, In addition, Mastercard has specific requirements for Level 2 merchants that differ significantly. If a Level 2 merchant is required to complete SAQ A, SAQ A-EP, or SAQ D for Merchant, the assessment and completion must be conducted by an approved Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). This requirement has been effective since March 2021.

For more information, welcome to contact us.

first time PCI DSS Compliance

PCI DSS Compliance for dummies

/in

【PCI DSS Compliance for dummies】

Even Cybersecurity Beginners Can Achieve Compliance

Top 5 questions asked (2W3H), when 1st time required by an acquirer or supervisor to obtain PCI DSS certification.

As the booming growth of e-commerce, remote work, and delivery platforms continues into 2024, the usage of cross-border transactions and online payments has accelerated, making payment card information security increasingly critical.

To protect cardholder personal information, the Payment Card Industry Security Standards Council (PCI SSC) mandates that all entities storing, processing, or transmitting cardholder data must comply with PCI DSS requirements.

The 12 core requirements and their sub-requirements within PCI DSS are designed to protect cardholder data.

When your acquiring bank, regulatory authority or boss requires you to obtain PCI DSS certification, and you’re unsure where to start, you might ask the following five key questions (2W3H):

Table of Contents

What is PCI DSS ?

PCI DSS stands for Payment Card Industry Data Security Standards, which is established and managed by the international organization, Payment Card Industry Security Standard Council (PCI SSC). These standards are specially designed to protect payment card data from unauthorized access and misuse.

PCI SSC comprises major global credit card organizations, including American Express, Discover Financial Services, JCB, MasterCard, Visa Inc., and China UnionPay.

PCI DSS standards are a set of industry-wide guidelines, focused on securing cardholder information across these brands. These standards apply to all entities, which store, process, or transmit cardholder data. Merchants or service providers handling payment cards from these brands, regardless of their size or transaction volume, are all required to follow and comply with PCI DSS to ensure the security of cardholder information.

Who needs PCI DSS Certification?

Any organization that stores, processes, or transmits cardholder data is required to comply with PCI DSS Standards. Depending on how an organization handles cardholder data, they are categorized into different types and levels.

Step 1: To determine whether the entity is a Merchant or Service Provider.

Merchants

Organizations that accept payment cards in exchange for goods or services. This category includes physical stores, online stores, and those offering downloadable virtual goods or services.

Service Providers

Entities that transmit, process, or store payment cardholder data as part of services they offer, or that can control or influence the security of cardholder data, including third-party payment processors, payment gateway providers, wallet service providers, and online marketplaces. Data centers and cloud service providers offering virtual hosting services also belong to this category.

Step 2: Once determining whether your organization is a Merchant or a Service Provider, you can further identify the PCI DSS level.

Level 1 Merchants and Service Providers

require an on-site assessment by a Qualified Security Assessor (QSA), who will conduct the review and provide a report.

Level 2-4 Merchants and Level 2 Service Providers

can use the PCI DSS Self-Assessment Questionnaire (SAQ) to perform a self-assessment, or they can seek assistance from a QSA to ensure a faster and more accurate evaluation.

Service Provider & Merchant

Who can assist PCI DSS Certification?

For Level 1 Merchants or Service Providers undergoing their first PCI DSS assessment, it is advisable to seek professional guidance.

QSA (Qualified Security Assessor)

is a professional authorized by PCI SSC, trained and certified to conduct PCI DSS assessments and provide Reports on Compliance (ROC) and Attestations of Compliance (AOC). QSAs must regularly update their certification to stay current with the latest PCI DSS versions. If your organization is a Level 1 Merchant or Service Provider, an on-site assessment by a QSA is mandatory.

QSAC (Qualified Security Assessor Company)

employs QSAs and provides expert assessment and consulting services. QSAC can assist you in understanding the specific requirements of PCI DSS and guide you in establishing a secure Payment environment.

How to choose QSA and QSAC?

  1. Visit [PCI Security Standards Council] to verify the certified QSA and QSAC.

  2. Inquire peers or partners about their experience and recommendations that already completed PCI DSS Assessment.
  3. Review customer evaluations and case studies of potential QSAs and QSACs to ensure their experience and expertise.
  4. Consultation Services: Conduct initial consultations with multiple QSAs or QSACs to understand their service scope, fee, and work process.

By following these steps, you can find a suitable QSA or QSAC to assist your PCI DSS Assessment, ensuring the payment environment is secure and compliant.

How to do?

PCI DSS Compliance Assessment normally consists of 4 main stages:

1. Preparation Stage

Scope Confirmation and Consulting phase.

**Scope Confirmation**

  • Preliminary Assessment: Evaluate existing security measures to identify gaps and scope needing adjustment.
  • Define Assessment Scope: Determine systems, networks, and applications that need to comply with PCI DSS standards.

**Consultation Phase**

  • Engage Consultant or QSA: Select a Qualified Security Assessor (QSA) or Qualified Security Assessor Company (QSAC) to assist in verifying environment compliance, guiding remediation processes, and scheduling Assessment.
  • Security Training: Provide employees with relevant security training to enhance overall security awareness.

2. Data Preparation Phase

Preparation and Implementation of Necessary Controls

**Data Preparation**

● Policies and Procedures: Develop and update security policies and operational procedures to ensure PCI DSS compliance.
● Document Collection: Gather and organize all required documents and evidence to demonstrate compliance.

3. Assessment Phase

QSA Conducts On-Site Assessment.

**Audit Execution**

● Internal Assessment: Conduct internal reviews before formal Assessment to ensure all issues are addressed.

● On-Site Assessment: Conduct on-site Assessment led by QSA to verify consistency between actual operations and documented practices.

4. Report Phase

QSA Writes and Submits Compliance Reports and Certifications

● Report Writing: QSA writes Report on Compliance (ROC) and Attestations of Compliance (AOC).

● Report Submission: You can submit a report to the Payment Card Organization or Acquirer.

● Certification Issuance: You will receive compliance certifications indicating adherence to PCI DSS standards from QSAC.

How long does it take?

The overall timeline for achieving PCI DSS compliance certification, from initial environment verification to providing final reports, is about 3 to 5 months. Main stages of Compliance Certification Process are listed below:

  1. Preparation Stage(1-2 months):Environment Verification and Consultation Phase.

  2. Data Preparation Stage (1 month): Preparation and Implementation of necessary Control Measures.

  3. Assessment Stage (5-7 days): On-site Assessment conducted by QSA.

  4. Report Stage (0.5-1 month): QSA writes and submits Compliance Reports and Certifications.

PCI DSS Certification timeline

Actual timelines may vary due to the following factors:

  • Preparedness: The extent of preparation before certification can expedite the process.
  • Complexity of Systems and Operations: The complexity of IT environments, network architecture, and operational processes can affect certification timelines.
  • Resources invested by the company (including manpower, time, and budget) and efficiency in project management.


To ensure an efficient process, it is recommended to:

  • Begin preparation: As early as possible, especially organizing documents and policies.
  • Effective Communication: Maintain close communication with QSA throughout the certification process to promptly address any issues that arises.
  • Continuous monitoring: After certification, it is necessary to continue maintaining and improving security measures to ensure long-term compliance with PCI DSS requirements.

How much does it cost?

Estimated Additional Costs for 1st-time PCI DSS Compliance

A. System

Due to the high-security requirements of PCI DSS, certain systems may need to be separated to comply with requirements such as having only one primary function per system component (Req. 2.2.3). Previously, functions like Web Server, Application Server, and DB Server might have been on one machine but now need to be split, potentially requiring additional server equipment (virtual servers can be used).Additionally, security components like NTP Servers, FIM Servers (File Integrity Management), and Log Servers may be needed to meet compliance, potentially increasing the number of required machines compared to before.

B. Security Equipment

Meeting PCI DSS security requirements may necessitate purchasing additional security equipment such as Network Security Control devices (NSCs) like firewalls, Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS), and Web Application Firewalls (WAF).

C. Data Encryption Equipment

Organizations with high security and performance demands may opt for Hardware Security Modules (HSMs) to encrypt card data securely as required by PCI DSS.

D. Personnel Training

PPCI DSS mandates training for personnel including awareness training, secure coding training, and conducting drills for Incident Response Plans (IRP). If staff perform Vulnerability Scans or Penetration Tests, they will also require adequate security training, potentially increasing training costs.

E. Technical Test

PCI DSS requires various periodic technical tests including Internal Vulnerability Scans, External Vulnerability Scans (ASV), Internal and External Penetration Tests, Wireless Scans, Card Number Scans, and Code Reviews. This section typically incurs additional expenses.

F. Other

If you are a service provider, acquiring institutions or card organizations may require registration in their service provider registries like VISA Registry or MasterCard SDP (Service Provider Registration).

For a small to medium-sized Service Provider without prior PCI DSS compliance experience, the estimated additional expenses might include as listed below:

PCI DSS extra cost for first time

PCI DSS Certification Costs

In addition to the potential additional costs mentioned above, the cost of PCI DSS Assessment can be varied with the time required by PCI DSS QSAs to complete the Assessment and Report.

The estimated assessment time depends on the following factors:

  1. System Complexity: The number of hosts, types of operating systems used, components installed on systems, multiple OS configurations, and security configurations all affect the sampling required during audits and increase audit time.

  2. Security Equipment and Networks: The number of security devices within the assessment scope such as Firewalls, IPS, IDS, WAF, Switches, Routers, SIEM, DRP, etc., requires configuration, updates, access control checks, logging, and more, thereby increasing assessment time with more devices and complex network planning.

  3. Connections to Acquiring Institutions and Service Providers: More connections to acquiring institutions and service providers form more complex data flows (Dataflows), necessitating additional time for inspection.

  4. Database and Card Data Storage and Encryption Methods: Diverse card data flows and storage methods require more encryption or security measures, resulting in additional inspection items.

  5. Number of Operational Units: The number of stores, data centers, and operational offices increases the days required for Assessment, e.g., banks, telecom companies, and businesses with numerous stores and offices with extensive sampling. Moreover, backup data centers storing card data are also included in the scope.

Generally speaking, PCI DSS Assessment costs vary by region due to different annual fees set by the PCI SSC and varying salaries for QSAs in different regions. In Southeast Asia, e.g., a small to medium-sized service provider requires 3-5 days for on-site Assessment and around a week for report compilation. Excluding travel costs, PCI DSS certification costs typically range between NT$400,000 to NT$600,000.

However, an actual quotation depends on the complexity factors mentioned above.

Who needs PCI DSS Compliance?
Which SAQ Type?

Whether you are a cross-border e-commerce business, a third-party payment platform, or a service provider, adhering to PCI DSS compliance requirements is crucial. Implementing these compliance measures not only provides your acquiring bank and regulatory authorities with a certificate of compliance but also directly helps your business reduce the risk of data breaches and theft while enhancing consumer confidence in the security of their transactions.

PCI DSS compliance consists of over 400 requirements, covering everything from understanding and interpreting the standards, providing evidence, and obtaining certification, to maintaining compliance in the future. How do you ensure ongoing compliance?

It is recommended to consider hiring a QSAC (Qualified Security Assessor Company) to help you quickly and effectively achieve compliance in a short time.

After certification, you can utilize a compliance management system offering features such as automated monitoring, alerts, regular data submission, and real-time visual status updates. This ensures that your business remains compliant and secure at all times.

*For more information about PCI Compliance Services, please feel free to contact us.

What is your SAQ Type?

/in ,

What is your SAQ Type?

PCI DSS Self-Assessment Questionnaire (SAQ) is a self-assessment questionaire designed to evaluate the compliance status of payment systems. It applies to merchants of levels 2-4 and service providers of level 2.

SAQ assesses an organization’s compliance with various standards. For example, under Visa’s guidelines, merchants processing fewer than 6 million transactions annually or service providers processing fewer than 300,000 transactions annually qualify for the SAQ.

Table of Contents

5 Steps for PCI DSS SAQ Self-Assessment:

  1. Select the SAQ type applicable to you.
  2. Verify that the scope of your PCI DSS environment is accurate.
  3. Self-assess if
    your environment is compliant with PCI DSS requirements.
  4. Complete the SAQ documentation, including assessment information, the questionnaire, and supporting evidence.
  5. Submit the SAQ assessment results and the Attestation of Compliance (AOC) to the requesting organization (acquirer).
Most importantly, choose the SAQ type that suits your environment!

 

For e-commerce, these SAQ versions may apply:

  • Service Providers

SAQ D for Service Provider:

Applicable only to service providers, it includes the requirements from SAQ D for Merchants and adds criteria for documentation and customer policies, procedural reviews, configuration checks, alerts, penetration test records, and more, with a total of 259 questions.

  • Merchants

SAQ A:

For fully outsourced payment services (e.g., payment page using URL redirect or iFrame). SAQ A involves document checks, configuration checks, policy reviews, data retention and disposal, and external vulnerability scans. It’s the shortest SAQ version, with only 29 questions.

SAQ A-EP:

For merchants using an outsourced payment processor but managing their own payment page. SAQ A-EP covers SAQ A items and adds requirements for network management, host management, data security, vulnerability management, access control, and monitoring/testing, with significant additional requirements due to partial involvement in payment processing.

SAQ D for Merchant:

For merchants with an in-house payment system or those storing cardholder data electronically. SAQ D for Merchant has broader requirements than SAQ A-EP, covering all PCI DSS requirements for merchants.

There are 10 different types of PCI DSS SAQs, each determined by the type of payment services you provide. The appropriate SAQ type is typically identified by your acquiring bank or with assistance from a Qualified Security Assessor (QSA), who can review your Cardholder Data Environment (CDE), cardholder data processes (such as card number handling), and data flow to accurately determine the applicable SAQ type. Alternatively, you can refer to the following PCI DSS SAQ type descriptions for a preliminary assessment. For your preliminary assessment, refer to PCI DSS SAQ types provided below.

If you need more information about SAQ types and achieve PCI DSS compliance effectively and accurately, the professional advice from QSA or QSAC is highly recommended. Their expertise can provide valuable insights tailored to your specific needs and ensure your compliance in the most effective manner possible.

How to meet the additional requirement for Service Provider only by PCI DSS v4.0 provision 12.4.2?

/in ,
Read more

[GCP] Be careful using GCP’s CI/CD service Google Cloud Build!

/in ,
Read more

Immediate Response Required: Windows 10/11 (CVE-2021-36934) Security Vulnerabilities

/in ,

Microsoft Windows has recently updated, causing a high-risk Security Vulnerability (CVE-2021-36934) with a CVSS score of over 7 on July 23, 2021. This vulnerability is originated from the loose access policy for some system files, such as the Security Accounts Manager (SAM) databases. Users with malicious intent can use this vulnerability to elevate privileges to execute malicious code, view, change and even delete data, or create a new user account with full authority, etc.

From testing, the devices currently affected are mainly Windows 10 and Windows 11, however from the official information released by Microsoft, Windows Server 2019 is also affected. We must pay special attention to this issue, as there is currently no patch for this update that will safeguard against this vulnerability. As a short-term solution, there is an official workaround. For example, you can delete the affected Volume Shadow Copy Service. (Please refer to: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934)

Looking at this issue from the perspective of PCI DSS Compliance, the CVSS score of this vulnerability, which is 7.8 in Base Score Metrics, is of high-risk as it is a higher score than 7. This should be patched within 30 days if possible. Otherwise, other safeguard solutions must be found. If the ASV (Approved Scanning Vendor) external vulnerability scan encounters this problem, the vulnerability scan will not pass.

In addition, Windows 10 is commonly used as a springboard in the server room. Because of the Windows springboard, this may be assigned to different personnel. It is also important to pay attention whether there are ordinary users who will use this vulnerability for other purposes such as unauthorized activities.

This begs the question: How can one maintain the integrity of your security and systems with this vulnerability? We at Secure Vectors propose the following suggestions:

  1. Firstly, restrict access to specific system directories and delete backup copies from the Volume Shadow Copy Service (VSS). The reason for doing this is so that the system cannot be restored through backup/restoration tools. During this period while a patch is being developed, you can prevent the restoration operation from happening.
  2. Temporarily restrict “non-host management authority (Administrator)” personnel from logging into the host. General user accounts are usually able to access the core configuration files, SAM databases, etc. By doing this, non-host management authority personnel will not be able to access these files and thus your organization can avoid attacks from hackers through elevation of authority.
  3. Remember to update the scanning database of the internal vulnerability scanning tool to the latest version and perform a scan to check if the current tool can identify the problem.

Secure Vector consultant

Bryan Cheng

Secure Vectors Information Technologies, Inc. - PCI QSA and Senior Consultant

- Payment Card Industry Security, IT Security Management, Cloud Service Management
- Professional Certification:PCI DSS QSA, CISSP, ISO27001 LA, BS10012 LA, MCSE, MCITP, TUViT Privacy Protection Consultant

Secure Vectors Information Technologies Inc., is a consulting firm specialized in providing payment card related security consulting and assessment services. We provide comprehensive payment card related security consulting and certification services, including PCI DSS, PCI 3DS, PCI PIN Security Standards. Also providing personal data protection, GDPR compliance inspection and other consulting services. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore. With over 70 percent market share in Taiwan and 8 years experiences in PCI compliance, we developed compliance management program and collaborating services to fit every business.

You might also like


PCI DSS v4 training ChinaSVITI

PCI DSS v.4.0.1 Training Shenzhen

PCI DSS v4.0

Who need PCI DSS Compliance?

first time PCI DSS Compliance

PCI DSS Compliance for dummies

What is your SAQ Type?

[GCP] Be careful using GCP’s CI/CD service Google Cloud Build!

【FortiOS】SSL-VPN Major Security Vulnerability (CVE-2023-27997) Have you fixed it?

Immediate Response Required: Windows 10/11 (CVE-2021-36934) Security Vulnerabilities

Sequoia Vulnerability (CVE-2021-33909), PCI DSS Experts advise

*For more information and inquiries please kindly email us at service@securevectors.com , our experts will answer all your questions as soon as possible.



Sequoia Vulnerability (CVE-2021-33909), PCI DSS Experts advise

/in ,

An out-of-bounds write flaw was found in the Linux kernel’s seq_file in the Filesystem layer. This flaw allows a local attacker with a user privilege to gain access to out-of-bound memory, leading to a system crash or a leak of internal kernel information. The issue results from not validating the size_t-to-int conversion prior to performing operations.

From PCI DSS point of views, primary concerns are operating system user account security.  Verification on the necessities of allowing access given to System, restrict only the mandatory rights to login with logging, ePBF etc. Patch management, especially critical, should be complete in 30 days.


  • PCI DSS Requirements 2.1 : Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.  Verify /etc/password have proper settings, delete or set to “nologin”, preventing non mandatory users can login using vulnerability to compromise the system.
  • PCI DSS Requirements 6.2 : Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.

Verify Operating System vendors have releasing relate patch and complete patch update within 1 month.  If there are no updates from the vendors, necessary mitigation process should be in place.


Patch updates resolving this vulnerability (CVE-2021-33909) noted by Qualys Security Research Team, see following form for Patch listing:


SourceRisk level
NESSUS
https://www.tenable.com/cve/CVE-2021-33909		CVSS (v2) 7.2
NIST NVD
https://nvd.nist.gov/vuln/detail/CVE-2021-33909		CVSS (v3) 7.8
Redhat
https://access.redhat.com/security/cve/cve-2021-33909		CVSS (v3) 7.0
CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33909		Source: MITRE

Update on 2021/09/10

Qualys Security Research Team has proven vulnerability by accessing root rights in vulnerable OS of : Ubuntu 20.04、Ubuntu 20.10、Ubuntu 21.04、Debian 11 and Fedora 34 Workstation.  Other Linux OS may result in I.O.C. generate from this vulnerability.  Linux Servers patch fix as follow:


Operating SystemSecurity patch link
Redhathttps://access.redhat.com/security/cve/cve-2021-33909
CentOShttps://centosfaq.org/centos/its-been-six-days-since-cvd-2021-33909-was-patched-in-rhel-whats-the-holdup-for-stream-8/

https://centos.pkgs.org/8-stream/centos-baseos-x86_64/kernel-4.18.0-326.el8.x86_64.rpm.html

SUSEhttps://www.suse.com/security/cve/CVE-2021-33909.html
ubuntuhttps://ubuntu.com/security/CVE-2021-33909

Update on 2021/09/10

If there are no updates from the vendors, necessary mitigation process should be in place.

sysctl kernel.unprivileged_userns_clone=1   # unprivileged_userns_clone set as 0

sysctl kernel.unprivileged_bpf_disabled=1   # unprivileged_bpf_disabled set as 1

For technical details, please refer to below link:

https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt


Max Tsai

Secure Vectors Information Technologies, Inc. - PCI QSA and Senior Consultant

• Payment Card Industry Security, IT Security Management, Cloud Service Management
• Professional certification: PCI DSS QSA, CISSP, ISMS LA



Secure Vectors Information Technologies Inc., is a consulting firm specialized in providing payment card related security consulting and assessment services. We provide comprehensive payment card related security consulting and certification services, including PCI DSS, PCI 3DS, PCI PIN Security Standards. Also providing personal data protection, GDPR compliance inspection and other consulting services. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore. With over 70 percent market share in Taiwan and 8 years experiences in PCI compliance, we developed compliance management program and collaborating services to fit every business.



You might also like


PCI DSS v4 training ChinaSVITI

PCI DSS v.4.0.1 Training Shenzhen

PCI DSS v4.0

Who need PCI DSS Compliance?

first time PCI DSS Compliance

PCI DSS Compliance for dummies

What is your SAQ Type?

[GCP] Be careful using GCP’s CI/CD service Google Cloud Build!

【FortiOS】SSL-VPN Major Security Vulnerability (CVE-2023-27997) Have you fixed it?

Immediate Response Required: Windows 10/11 (CVE-2021-36934) Security Vulnerabilities

Sequoia Vulnerability (CVE-2021-33909), PCI DSS Experts advise

*For more information and inquiries please kindly email us at service@securevectors.com , our experts will answer all your questions as soon as possible.


PCI 3DS 驗證 3 步驟_Max

PCI DSS Compliance Process and Requirements

/in ,

This article is an introduction to the latest PCI DSS compliance standards process in 2021, as well as an explanation of PCI DSS levels of compliance and their required costs.

PCI DSS Standards

The Payment Card Industry Data Standards (referred to as PCI DSS), is a global industry standard set up by the major international credit card organisations pertaining to the security of cardholder information that flows through their networks. All organisations, whether Merchants or Service Providers, that accept payments or Store, Process and Transmit card data from the major international card organisations must adopt the PCI DSS and protect cardholder information in accordance with the Security Standards.

The PCI DSS is created and managed by the PCI SSC (Payment Industry Security Standards Council and her members consist of VISA Inc., MasterCard, JCB, American Express and Discover.

PCI DSS Compliance Levels

The way to obtain the PCI DSS compliance status is usually via a PCI DSS Assessment. Both Merchants and Service Providers have different levels, which can be seen below (using the regulations provided by VISA)

  • Merchant Levels
LevelRequired Security Certification/Scans Required Personal/Items
1
Over 6M transactions per year		On-site PCI DSS audit every year and ASV Network Scan every quarterQualified Security Assessor Internal Audit Report Authorized Scanning Vendor
2
Over 1M transactions per year		Complete Self Assessment Questionnaire (SAQ) each year and ASV Network Scan every quarterMerchant
Approved Scan Vendor
3
Over 200K transactions per year		Complete Self Assessment Questionnaire (SAQ) each year and ASV Network Scan every quarterMerchant
Approved Scan Vendor
4
Less than 20K transactions per year		Complete Self Assessment Questionnaire (SAQ) each year and ASV Network Scan every quarterMerchant
Approved Scan Vendor
  • Service Provider Levels
LevelRequired Certification/ScansRequired Personal/Items
1
Over 300,000 transactions a year		Onsite PCI DSS audit every year and ASV network scan every quarterQualified Security Assessor Internal Audit Report Authorized Scanning Vendor
2
Below 300,000 transactions a year		Complete Self Assessment Questionnaire D (SAQ D) every year and perform ASV network scan every quarterMerchant
Approved Scan Vendor

When a Merchant or Service Provider is deemed as Level 1, they are required to obtain the services of a QSA (Qualified Security Assessor), which is an approved PCI DSS auditor. The QSA has to perform an on-site audit for the organization and provide a report after the review.

Merchants Level 2-4 or Service Providers Level 2 must fill up a PCI DSS SAQ (Self-Assessment Questionnaire), which can also be assisted by a QSA.

In order to determine the level and you are required to obtain, and the type of SAQ you are required to use, please contact your acquirer.

PCI DSS Audit Process

In general, the PCI DSS audit can be divided into the following phases below:

PCI DSS 認證 階段 時間

The initial preparation and consultation phase may take up to 3-5 months, depending on the readiness of the organization that is undergoing the review and the complexity of their systems and their processes.

PCI DSS related costs during and after the review

  1. Systems Related Costs

As PCI DSS will require strong security protection to be implemented such as “One Primary Function Per Server” (Req. 2.2.1), the Web Server, Application Server and DB Server will have to be isolated from each other, if they were put in the same location previously. Similarly, there may be greater hosting equipment requirements (Virtual Servers can be used)

Additionally, PCI DSS requires the establishment of security service components such as DNS Server, NTP Server, FIM Server (File Integrity Management), Log Server etc. therefore the organization may have to obtain more equipment than in the past in order to meet compliance requirements.

PCI DSS related costs during and after the review

  1. Systems Related Costs

As PCI DSS will require strong security protection to be implemented such as “One Primary Function Per Server” (Req. 2.2.1), the Web Server, Application Server and DB Server will have to be isolated from each other, if they were put in the same location previously. Similarly, there may be greater hosting equipment requirements (Virtual Servers can be used)

Additionally, PCI DSS requires the establishment of security service components such as DNS Server, NTP Server, FIM Server (File Integrity Management), Log Server etc. therefore the organization may have to obtain more equipment than in the past in order to meet compliance requirements.

2. Security Equipment Costs

Additional security equipment may need to be purchased (i.e. Firewalls, IPS, IDS, WAF)

3.  Data Encryption Costs

PCI DSS requires card data encryption. Organisations will typically use HSM (Hardware Secure Module) hardware encryption to ensure the security of the cardholder data stored.

4. Training Costs

PCI DSS requires employees to undergo Awareness Training, Secure Coding Training, and IRP (Incident Response Plan) drills. In addition, to perform Vulnerability Scans and Penetration Tests, your staff may also have to undergo sufficient technical training to operate these tools.

5. Technical Audit Costs

PCI DSS mandates a number of technical audits, including:

  • Card Number Scanning
  • Code Review
  • Internal Vulnerability Scan
  • ASV, External Vulnerability Scan
  • Internal Penetration Test
  • External Penetration Test
  • Wireless Scan

There may be some additional costs here.

6. Other Costs

If your organization is designated as a Service Provider, you will be required to register yourself, such as at VISA’s VISA Registry or MasterCard’s Service Provider Registration

Let us provide an example of a small-to-medium sized Service Provider, who is undergoing the PCI DSS compliance process for the first time. These are the estimated additional expenses:

SectionExpected Extra CostsRemarks
Systems5-6 more servers, one-time expenditure of US$15,000
Security EquipmentMore WAF, IPS and other systems required, one-time expenditure of US$15,000-20,000Assuming Intermediate WAF
Data Encryption EquipmentSpend up to US$30,000 in HSM costsHSM prices vary greatly, software encryption methods can also be used
TrainingTraining costs up to US$2,500 a yearCan conduct training internally
Technical AuditsBased on the needs of the servers and number of applications may cost between US$30,000-90,000 annually
OthersRegistration fees to the card organisations are about US$3,000-5,000 per year

PCI DSS Compliance Fees

In addition to the possible costs above, the PCI DSS Compliance fees and the time required by a QSA to complete the audit depend on the following factors as well.

  • System Complexity: The number of hosts, the type of OS used by the system, the number of components installed on the system, whether there are multiple OSs used at the same time, whether there are multiple security configurations.
  • Security Devices and Network Segments: How many security devices there are, such as Firewalls, IPS, IDS, WAF, Switches, Routers, SIEM, DRP etc. These security devices must be set up and updated with proper access controls and logs. We must also check and ensure that the records are kept, and the higher the number, the more complicated the network segment will be, which will increase the time required to audit.
  • The number of connected acquirers and service providers: The more acquirers there are, the more complicated the data-flows of the system.
  • Retention and encryption of database and card data: The more diverse the card data flows and the more diverse the types of card data storage, the more requirements there are for encryption and security protections, which leads to more items for auditing.
  • Number of operation units: The number of stores, number of server rooms used, and the number of offices will also increase the number of days required for review. Bank, telecommunications companies etc. will have a large number of storefronts and offices, which will lead to longer auditing periods required. Backup server rooms that store card data will also be included in the scope of review.

The costs of a PCI DSS audit will also differ by geography, as the PCI SSC has different annual costs for each region. The costs of a QSA is also different in each region. For example, a small-to-medium sized Service Provider in Southeast Asia will require around 3-5 days of on-site assessment and require about a week for the preparation of the report. Excluding transportation costs, a first-time PCI DSS certification may cost between 15,000 USD to 25,000 USD. Of course, the actual price must be estimated based on the variables mentioned above to determine the amount of time required for the audit.

Vincent Huang

Secure Vectors Information Technologies, Inc. - PCI QSA and Senior Consultant

- IT Security Management, Payment Card Industry Security, Data Center Security and Cloud Security

- Professional certification: DSS QSA, PCI 3DS Assessor, PIN Security QPA, CISSP, CEH, NSPA, ISMS LA, ITSM LA, Certified CSA STAR Auditor, Europrise Technical Expert

Secure Vectors Information Technologies Inc., is a consulting firm specialized in providing payment card related security consulting and assessment services. We provide comprehensive payment card related security consulting and certification services, including PCI DSS, PCI 3DS, PCI PIN Security Standards. Also providing personal data protection, GDPR compliance inspection and other consulting services. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore. With over 70 percent market share in Taiwan and 8 years experiences in PCI compliance, we developed compliance management program and collaborating services to fit every business.

You might also like

PCI DSS v4 training ChinaSVITI

PCI DSS v.4.0.1 Training Shenzhen

PCI DSS v4.0

Who need PCI DSS Compliance?

first time PCI DSS Compliance

PCI DSS Compliance for dummies

What is your SAQ Type?

[GCP] Be careful using GCP’s CI/CD service Google Cloud Build!

【FortiOS】SSL-VPN Major Security Vulnerability (CVE-2023-27997) Have you fixed it?

Immediate Response Required: Windows 10/11 (CVE-2021-36934) Security Vulnerabilities

Sequoia Vulnerability (CVE-2021-33909), PCI DSS Experts advise

*For more information and inquiries please kindly email us at service@securevectors.com , our experts will answer all your questions as soon as possible.