Any organization that stores, processes, or transmits cardholder data is required to comply with PCI DSS Standards. Depending on how an organization handles cardholder data, they are categorized into different types and levels.
PCI DSS
Service Provider
“Service Provider” as defined by PCI DSS is an organization providing services that involve transmitting, processing, or storing payment cardholder data on behalf of merchants or other service providers.
This includes entities offering payment processing services, wallet providers, platforms integrating various payment channels, online marketplaces, and others impact security of cardholder data.
Additionally, data centers providing virtual hosting services and cloud service providers are not directly involved in transaction services; maybe impact cardholder data security to some extent and are also classified as service providers.
Unlike merchants, service providers are categorized into two levels. Using VISA as an example, the classification and compliance requirements are detailed as follows:
Level 1:
● Processes over 300,000 transactions annually.
● Annual on-site assessment by a QSA with submission of a Report on Compliance (ROC).
● Submission of an Attestation of Compliance (AOC).
● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV).
Level 2:
● Processes less 300,000 transactions annually.
● Annual submission of a Self-Assessment Questionnaire (SAQ).
● Submission of an Attestation of Compliance (AOC).
● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV).
Merchant
Level 1:
● Processes over 6 million transactions annually.
● Annual on-site assessment by a QSA with submission of a Report on Compliance (ROC).
● Submission of an Attestation of Compliance (AOC).
● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV).
Level 2:
● Processes between 1 million and 6 million transactions annually.
● Annual submission of a Self-Assessment Questionnaire (SAQ).
● Submission of an Attestation of Compliance (AOC).
● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV).
Level 3:
● Processes between 20,000 and 1 million transactions annually.
● Annual submission of a Self-Assessment Questionnaire (SAQ).
● Submission of an Attestation of Compliance (AOC).
● Conduct quarterly reports of External Vulnerability Scansby an Approved Scanning Vendor (ASV).
Level 4:
● Processes up to 20,000 transactions annually.
● Annual submission of a Self-Assessment Questionnaire (SAQ).
● Submission of an Attestation of Compliance (AOC).
● Conduct quarterly reports of External Vulnerability Scans by an Approved Scanning Vendor (ASV) (optional).
For more details, refer to the VISA website https://usa.visa.com/support/small-business/security-compliance.html https://usa.visa.com/partner-with-us/pci-dss-compliance-information.html
In addition, In addition, Mastercardhas specific requirements for Level 2 merchants that differ significantly. If a Level 2 merchant is required to complete SAQ A, SAQ A-EP, or SAQ D for Merchant, the assessment and completion must be conducted by an approved Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). This requirement has been effective since March 2021.
Even Cybersecurity Beginners Can Achieve Compliance
Top 5 questions asked (2W3H), when 1st time required by an acquirer or supervisor to obtain PCI DSS certification.
As the booming growth of e-commerce, remote work, and delivery platforms continues into 2024, the usage of cross-border transactions and online payments has accelerated, making payment card information security increasingly critical.
To protect cardholder personal information, the Payment Card Industry Security Standards Council (PCI SSC) mandates that all entities storing, processing, or transmitting cardholder data must comply with PCI DSS requirements.
The 12 core requirements and their sub-requirements within PCI DSS are designed to protect cardholder data.
When your acquiring bank, regulatory authority or boss requires you to obtain PCI DSS certification, and you’re unsure where to start, you might ask the following five key questions (2W3H):
Table of Contents
What is PCI DSS ?
PCI DSS stands for Payment Card Industry Data Security Standards, which is established and managed by the international organization, Payment Card Industry Security Standard Council (PCI SSC). These standards are specially designed to protect payment card data from unauthorized access and misuse.
PCI SSC comprises major global credit card organizations, including American Express, Discover Financial Services, JCB, MasterCard, Visa Inc., and China UnionPay.
PCI DSS standards are a set of industry-wide guidelines, focused on securing cardholder information across these brands. These standards apply to all entities, which store, process, or transmit cardholder data. Merchants or service providers handling payment cards from these brands, regardless of their size or transaction volume, are all required to follow and comply with PCI DSS to ensure the security of cardholder information.
Who needs PCI DSS Certification?
Any organization that stores, processes, or transmits cardholder data is required to comply with PCI DSS Standards. Depending on how an organization handles cardholder data, they are categorized into different types and levels.
Step 1: To determine whether the entity is a Merchant or Service Provider.
Merchants
Organizations that accept payment cards in exchange for goods or services. This category includes physical stores, online stores, and those offering downloadable virtual goods or services.
Service Providers
Entities that transmit, process, or store payment cardholder data as part of services they offer, or that can control or influence the security of cardholder data, including third-party payment processors, payment gateway providers, wallet service providers, and online marketplaces. Data centers and cloud service providers offering virtual hosting services also belong to this category.
Step 2: Once determining whether your organization is a Merchant or a Service Provider, you can further identify the PCI DSS level.
Level 1 Merchants and Service Providers
require an on-site assessment by a Qualified Security Assessor (QSA), who will conduct the review and provide a report.
Level 2-4 Merchants and Level 2 Service Providers
can use the PCI DSS Self-Assessment Questionnaire (SAQ) to perform a self-assessment, or they can seek assistance from a QSA to ensure a faster and more accurate evaluation.
For Level 1 Merchants or Service Providers undergoing their first PCI DSS assessment, it is advisable to seek professional guidance.
QSA (Qualified Security Assessor)
is a professional authorized by PCI SSC, trained and certified to conduct PCI DSS assessments and provide Reports on Compliance (ROC) and Attestations of Compliance (AOC). QSAs must regularly update their certification to stay current with the latest PCI DSS versions. If your organization is a Level 1 Merchant or Service Provider, an on-site assessment by a QSA is mandatory.
QSAC (Qualified Security Assessor Company)
employs QSAs and provides expert assessment and consulting services. QSAC can assist you in understanding the specific requirements of PCI DSS and guide you in establishing a secure Payment environment.
Inquire peers or partners about their experience and recommendations that already completed PCI DSS Assessment.
Review customer evaluations and case studies of potential QSAs and QSACs to ensure their experience and expertise.
Consultation Services: Conduct initial consultations with multiple QSAs or QSACs to understand their service scope, fee, and work process.
By following these steps, you can find a suitable QSA or QSAC to assist your PCI DSS Assessment, ensuring the payment environment is secure and compliant.
How to do?
PCI DSS Compliance Assessment normally consists of 4 main stages:
1. Preparation Stage
Scope Confirmation and Consulting phase.
**Scope Confirmation**
Preliminary Assessment: Evaluate existing security measures to identify gaps and scope needing adjustment.
Define Assessment Scope: Determine systems, networks, and applications that need to comply with PCI DSS standards.
**Consultation Phase**
Engage Consultant or QSA: Select a Qualified Security Assessor (QSA) or Qualified Security Assessor Company (QSAC) to assist in verifying environment compliance, guiding remediation processes, and scheduling Assessment.
Security Training: Provide employees with relevant security training to enhance overall security awareness.
2. Data Preparation Phase
Preparation and Implementation of Necessary Controls
**Data Preparation**
● Policies and Procedures: Develop and update security policies and operational procedures to ensure PCI DSS compliance. ● Document Collection: Gather and organize all required documents and evidence to demonstrate compliance.
3. Assessment Phase
QSA Conducts On-Site Assessment.
**Audit Execution**
● Internal Assessment: Conduct internal reviews before formal Assessment to ensure all issues are addressed.
● On-Site Assessment: Conduct on-site Assessment led by QSA to verify consistency between actual operations and documented practices.
4. Report Phase
QSA Writes and Submits Compliance Reports and Certifications
● Report Writing: QSA writes Report on Compliance (ROC) and Attestations of Compliance (AOC).
● Report Submission: You can submit a report to the Payment Card Organization or Acquirer.
● Certification Issuance: You will receive compliance certifications indicating adherence to PCI DSS standards from QSAC.
How long does it take?
The overall timeline for achieving PCI DSS compliance certification, from initial environment verification to providing final reports, is about 3 to 5 months. Main stages of Compliance Certification Process are listed below:
Preparation Stage(1-2 months):Environment Verification and Consultation Phase.
Data Preparation Stage (1 month): Preparation and Implementation of necessary Control Measures.
Assessment Stage (5-7 days): On-site Assessment conducted by QSA.
Report Stage (0.5-1 month): QSA writes and submits Compliance Reports and Certifications.
Actual timelines may vary due to the following factors:
Preparedness: The extent of preparation before certification can expedite the process.
Complexity of Systems and Operations: The complexity of IT environments, network architecture, and operational processes can affect certification timelines.
Resources invested by the company (including manpower, time, and budget) and efficiency in project management.
To ensure an efficient process, it is recommended to:
Begin preparation: As early as possible, especially organizing documents and policies.
Effective Communication: Maintain close communication with QSA throughout the certification process to promptly address any issues that arises.
Continuous monitoring: After certification, it is necessary to continue maintaining and improving security measures to ensure long-term compliance with PCI DSS requirements.
How much does it cost?
Estimated Additional Costs for 1st-time PCI DSS Compliance
A. System
Due to the high-security requirements of PCI DSS, certain systems may need to be separated to comply with requirements such as having only one primary function per system component (Req. 2.2.3). Previously, functions like Web Server, Application Server, and DB Server might have been on one machine but now need to be split, potentially requiring additional server equipment (virtual servers can be used).Additionally, security components like NTP Servers, FIM Servers (File Integrity Management), and Log Servers may be needed to meet compliance, potentially increasing the number of required machines compared to before.
B. Security Equipment
Meeting PCI DSS security requirements may necessitate purchasing additional security equipment such as Network Security Control devices (NSCs) like firewalls, Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS), and Web Application Firewalls (WAF).
C. Data Encryption Equipment
Organizations with high security and performance demands may opt for Hardware Security Modules (HSMs) to encrypt card data securely as required by PCI DSS.
D. Personnel Training
PPCI DSS mandates training for personnel including awareness training, secure coding training, and conducting drills for Incident Response Plans (IRP). If staff perform Vulnerability Scans or Penetration Tests, they will also require adequate security training, potentially increasing training costs.
E. Technical Test
PCI DSS requires various periodic technical tests including Internal Vulnerability Scans, External Vulnerability Scans (ASV), Internal and External Penetration Tests, Wireless Scans, Card Number Scans, and Code Reviews. This section typically incurs additional expenses.
F. Other
If you are a service provider, acquiring institutions or card organizations may require registration in their service provider registries like VISA Registry or MasterCard SDP(Service Provider Registration).
For a small to medium-sized Service Provider without prior PCI DSS compliance experience, the estimated additional expenses might include as listed below:
PCI DSS Certification Costs
In addition to the potential additional costs mentioned above, the cost of PCI DSS Assessment can be varied with the time required by PCI DSS QSAs to complete the Assessment and Report.
The estimated assessment time depends on the following factors:
System Complexity: The number of hosts, types of operating systems used, components installed on systems, multiple OS configurations, and security configurations all affect the sampling required during audits and increase audit time.
Security Equipment and Networks: The number of security devices within the assessment scope such as Firewalls, IPS, IDS, WAF, Switches, Routers, SIEM, DRP, etc., requires configuration, updates, access control checks, logging, and more, thereby increasing assessment time with more devices and complex network planning.
Connections to Acquiring Institutions and Service Providers: More connections to acquiring institutions and service providers form more complex data flows (Dataflows), necessitating additional time for inspection.
Database and Card Data Storage and Encryption Methods: Diverse card data flows and storage methods require more encryption or security measures, resulting in additional inspection items.
Number of Operational Units: The number of stores, data centers, and operational offices increases the days required for Assessment, e.g., banks, telecom companies, and businesses with numerous stores and offices with extensive sampling. Moreover, backup data centers storing card data are also included in the scope.
Generally speaking, PCI DSS Assessment costs vary by region due to different annual fees set by the PCI SSC and varying salaries for QSAs in different regions. In Southeast Asia, e.g., a small to medium-sized service provider requires 3-5 days for on-site Assessment and around a week for report compilation. Excluding travel costs, PCI DSS certification costs typically range between NT$400,000 to NT$600,000.
However, an actual quotation depends on the complexity factors mentioned above.
Whether you are a cross-border e-commerce business, a third-party payment platform, or a service provider, adhering to PCI DSS compliance requirements is crucial. Implementing these compliance measures not only provides your acquiring bank and regulatory authorities with a certificate of compliance but also directly helps your business reduce the risk of data breaches and theft while enhancing consumer confidence in the security of their transactions.
PCI DSS compliance consists of over 400 requirements, covering everything from understanding and interpreting the standards, providing evidence, and obtaining certification, to maintaining compliance in the future. How do you ensure ongoing compliance?
It is recommended to consider hiring a QSAC (Qualified Security Assessor Company) to help you quickly and effectively achieve compliance in a short time.
After certification, you can utilize a compliance management system offering features such as automated monitoring, alerts, regular data submission, and real-time visual status updates. This ensures that your business remains compliant and secure at all times.
*For more information about PCI Compliance Services, please feel free to contact us.
https://www.securevectors.com/wp-content/uploads/2024/06/News-0830.png628838arthur.lihttps://www.securevectors.com/wp-content/uploads/2024/02/logo.svgarthur.li2024-06-23 14:40:452024-11-10 00:04:45PCI DSS Compliance for dummies
PCI DSS Self-Assessment Questionnaire (SAQ) is a self-assessment questionaire designed to evaluate the compliance status of payment systems. It applies to merchants of levels 2-4 and service providers of level 2.
SAQ assesses an organization’s compliance with various standards. For example, under Visa’s guidelines, merchants processing fewer than 6 million transactions annually or service providers processing fewer than 300,000 transactions annually qualify for the SAQ.
Table of Contents
5 Steps for PCI DSS SAQ Self-Assessment:
Select the SAQ type applicable to you.
Verify that the scope of your PCI DSS environment is accurate.
Self-assess if
your environment is compliant with PCI DSS requirements.
Complete the SAQ documentation, including assessment information, the questionnaire, and supporting evidence.
Submit the SAQ assessment results and the Attestation of Compliance (AOC) to the requesting organization (acquirer).
Most importantly, choose the SAQ type that suits your environment!
For e-commerce, these SAQ versions may apply:
Service Providers
SAQ D for Service Provider:
Applicable only to service providers, it includes the requirements from SAQ D for Merchants and adds criteria for documentation and customer policies, procedural reviews, configuration checks, alerts, penetration test records, and more, with a total of 259 questions.
Merchants
SAQ A:
For fully outsourced payment services (e.g., payment page using URL redirect or iFrame). SAQ A involves document checks, configuration checks, policy reviews, data retention and disposal, and external vulnerability scans. It’s the shortest SAQ version, with only 29 questions.
SAQ A-EP:
For merchants using an outsourced payment processor but managing their own payment page. SAQ A-EP covers SAQ A items and adds requirements for network management, host management, data security, vulnerability management, access control, and monitoring/testing, with significant additional requirements due to partial involvement in payment processing.
SAQ D for Merchant:
For merchants with an in-house payment system or those storing cardholder data electronically. SAQ D for Merchant has broader requirements than SAQ A-EP, covering all PCI DSS requirements for merchants.
There are 10 different types of PCI DSS SAQs, each determined by the type of payment services you provide. The appropriate SAQ type is typically identified by your acquiring bank or with assistance from a Qualified Security Assessor (QSA), who can review your Cardholder Data Environment (CDE), cardholder data processes (such as card number handling), and data flow to accurately determine the applicable SAQ type. Alternatively, you can refer to the following PCI DSS SAQ type descriptions for a preliminary assessment.
For your preliminary assessment, refer to PCI DSS SAQ types provided below.
If you need more information about SAQ types and achieve PCI DSS compliance effectively and accurately, the professional advice from QSA or QSAC is highly recommended. Their expertise can provide valuable insights tailored to your specific needs and ensure your compliance in the most effective manner possible.
https://www.securevectors.com/wp-content/uploads/2024/06/PCI-DSS-SAQ-type_EN.png21222882arthur.lihttps://www.securevectors.com/wp-content/uploads/2024/02/logo.svgarthur.li2024-06-21 18:15:032024-11-12 14:51:52What is your SAQ Type?
https://www.securevectors.com/wp-content/uploads/2023/12/PCI-DSS-v4.0-意象圖-方版_EN.jpg663960arthur.lihttps://www.securevectors.com/wp-content/uploads/2024/02/logo.svgarthur.li2023-09-15 16:00:522024-09-08 10:48:18How to meet the additional requirement for Service Provider only by PCI DSS v4.0 provision 12.4.2?
https://www.securevectors.com/wp-content/uploads/2023/08/2023-08-01-漏洞修補意象圖-方版_En.jpg720960arthur.lihttps://www.securevectors.com/wp-content/uploads/2024/02/logo.svgarthur.li2023-08-15 17:43:242024-09-08 10:48:28[GCP] Be careful using GCP’s CI/CD service Google Cloud Build!
https://www.securevectors.com/wp-content/uploads/2023/07/20230725-EN-方版.jpg9601280arthur.lihttps://www.securevectors.com/wp-content/uploads/2024/02/logo.svgarthur.li2023-07-31 11:01:212023-07-31 11:02:29【FortiOS】SSL-VPN Major Security Vulnerability (CVE-2023-27997) Have you fixed it?
Microsoft Windows has recently updated, causing a high-risk Security Vulnerability (CVE-2021-36934) with a CVSS score of over 7 on July 23, 2021. This vulnerability is originated from the loose access policy for some system files, such as the Security Accounts Manager (SAM) databases. Users with malicious intent can use this vulnerability to elevate privileges to execute malicious code, view, change and even delete data, or create a new user account with full authority, etc.
From testing, the devices currently affected are mainly Windows 10 and Windows 11, however from the official information released by Microsoft, Windows Server 2019 is also affected. We must pay special attention to this issue, as there is currently no patch for this update that will safeguard against this vulnerability. As a short-term solution, there is an official workaround. For example, you can delete the affected Volume Shadow Copy Service. (Please refer to: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934)
Looking at this issue from the perspective of PCI DSS Compliance, the CVSS score of this vulnerability, which is 7.8 in Base Score Metrics, is of high-risk as it is a higher score than 7. This should be patched within 30 days if possible. Otherwise, other safeguard solutions must be found. If the ASV (Approved Scanning Vendor) external vulnerability scan encounters this problem, the vulnerability scan will not pass.
In addition, Windows 10 is commonly used as a springboard in the server room. Because of the Windows springboard, this may be assigned to different personnel. It is also important to pay attention whether there are ordinary users who will use this vulnerability for other purposes such as unauthorized activities.
This begs the question: How can one maintain the integrity of your security and systems with this vulnerability? We at Secure Vectors propose the following suggestions:
Firstly, restrict access to specific system directories and delete backup copies from the Volume Shadow Copy Service (VSS). The reason for doing this is so that the system cannot be restored through backup/restoration tools. During this period while a patch is being developed, you can prevent the restoration operation from happening.
Temporarily restrict “non-host management authority (Administrator)” personnel from logging into the host. General user accounts are usually able to access the core configuration files, SAM databases, etc. By doing this, non-host management authority personnel will not be able to access these files and thus your organization can avoid attacks from hackers through elevation of authority.
Remember to update the scanning database of the internal vulnerability scanning tool to the latest version and perform a scan to check if the current tool can identify the problem.
Bryan Cheng
Secure Vectors Information Technologies, Inc. - PCI QSA and Senior Consultant
- Payment Card Industry Security, IT Security Management, Cloud Service Management
- Professional Certification:PCI DSS QSA, CISSP, ISO27001 LA, BS10012 LA, MCSE, MCITP, TUViT Privacy Protection Consultant
安律國際股份有限公司 Secure Vectors Information Technologies Inc.
Secure Vectors Information Technologies Inc., is a consulting firm specialized in providing payment card related security consulting and assessment services. We provide comprehensive payment card related security consulting and certification services, including PCI DSS, PCI 3DS, PCI PIN Security Standards. Also providing personal data protection, GDPR compliance inspection and other consulting services. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore. With over 70 percent market share in Taiwan and 8 years experiences in PCI compliance, we developed compliance management program and collaborating services to fit every business.
https://www.securevectors.com/wp-content/uploads/2024/06/PCI-DSS-SAQ-type_EN.png21222882arthur.lihttps://www.securevectors.com/wp-content/uploads/2024/02/logo.svgarthur.li2024-06-21 18:15:032024-11-12 14:51:52What is your SAQ Type?
https://www.securevectors.com/wp-content/uploads/2023/12/PCI-DSS-v4.0-意象圖-方版_EN.jpg663960arthur.lihttps://www.securevectors.com/wp-content/uploads/2024/02/logo.svgarthur.li2023-09-15 16:00:522024-09-08 10:48:18How to meet the additional requirement for Service Provider only by PCI DSS v4.0 provision 12.4.2?
https://www.securevectors.com/wp-content/uploads/2023/08/2023-08-01-漏洞修補意象圖-方版_En.jpg720960arthur.lihttps://www.securevectors.com/wp-content/uploads/2024/02/logo.svgarthur.li2023-08-15 17:43:242024-09-08 10:48:28[GCP] Be careful using GCP’s CI/CD service Google Cloud Build!
https://www.securevectors.com/wp-content/uploads/2023/07/20230725-EN-方版.jpg9601280arthur.lihttps://www.securevectors.com/wp-content/uploads/2024/02/logo.svgarthur.li2023-07-31 11:01:212023-07-31 11:02:29【FortiOS】SSL-VPN Major Security Vulnerability (CVE-2023-27997) Have you fixed it?
https://www.securevectors.com/wp-content/uploads/2021/02/PCI-3DS-驗證-3-步驟-scaled.jpg15642560arthur.lihttps://www.securevectors.com/wp-content/uploads/2024/02/logo.svgarthur.li2021-10-13 11:57:422021-10-13 11:59:39PCI DSS Compliance Process and Requirements
*For more information and inquiries please kindly email us at service@securevectors.com , our experts will answer all your questions as soon as possible.
An out-of-bounds write flaw was found in the Linux kernel’s seq_file in the Filesystem layer. This flaw allows a local attacker with a user privilege to gain access to out-of-bound memory, leading to a system crash or a leak of internal kernel information. The issue results from not validating the size_t-to-int conversion prior to performing operations.
From PCI DSS point of views, primary concerns are operating system user account security. Verification on the necessities of allowing access given to System, restrict only the mandatory rights to login with logging, ePBF etc. Patch management, especially critical, should be complete in 30 days.
PCI DSS Requirements 2.1 : Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. Verify /etc/password have proper settings, delete or set to “nologin”, preventing non mandatory users can login using vulnerability to compromise the system.
PCI DSS Requirements 6.2 : Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.
Verify Operating System vendors have releasing relate patch and complete patch update within 1 month. If there are no updates from the vendors, necessary mitigation process should be in place.
Patch updates resolving this vulnerability (CVE-2021-33909) noted by Qualys Security Research Team, see following form for Patch listing:
Qualys Security Research Team has proven vulnerability by accessing root rights in vulnerable OS of : Ubuntu 20.04、Ubuntu 20.10、Ubuntu 21.04、Debian 11 and Fedora 34 Workstation. Other Linux OS may result in I.O.C. generate from this vulnerability. Linux Servers patch fix as follow:
Secure Vectors Information Technologies, Inc. - PCI QSA and Senior Consultant
• Payment Card Industry Security, IT Security Management, Cloud Service Management
• Professional certification: PCI DSS QSA, CISSP, ISMS LA
安律國際股份有限公司 Secure Vectors Information Technologies Inc.
Secure Vectors Information Technologies Inc., is a consulting firm specialized in providing payment card related security consulting and assessment services. We provide comprehensive payment card related security consulting and certification services, including PCI DSS, PCI 3DS, PCI PIN Security Standards. Also providing personal data protection, GDPR compliance inspection and other consulting services. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore. With over 70 percent market share in Taiwan and 8 years experiences in PCI compliance, we developed compliance management program and collaborating services to fit every business.
https://www.securevectors.com/wp-content/uploads/2024/06/PCI-DSS-SAQ-type_EN.png21222882arthur.lihttps://www.securevectors.com/wp-content/uploads/2024/02/logo.svgarthur.li2024-06-21 18:15:032024-11-12 14:51:52What is your SAQ Type?
https://www.securevectors.com/wp-content/uploads/2023/12/PCI-DSS-v4.0-意象圖-方版_EN.jpg663960arthur.lihttps://www.securevectors.com/wp-content/uploads/2024/02/logo.svgarthur.li2023-09-15 16:00:522024-09-08 10:48:18How to meet the additional requirement for Service Provider only by PCI DSS v4.0 provision 12.4.2?
https://www.securevectors.com/wp-content/uploads/2023/08/2023-08-01-漏洞修補意象圖-方版_En.jpg720960arthur.lihttps://www.securevectors.com/wp-content/uploads/2024/02/logo.svgarthur.li2023-08-15 17:43:242024-09-08 10:48:28[GCP] Be careful using GCP’s CI/CD service Google Cloud Build!
https://www.securevectors.com/wp-content/uploads/2023/07/20230725-EN-方版.jpg9601280arthur.lihttps://www.securevectors.com/wp-content/uploads/2024/02/logo.svgarthur.li2023-07-31 11:01:212023-07-31 11:02:29【FortiOS】SSL-VPN Major Security Vulnerability (CVE-2023-27997) Have you fixed it?
https://www.securevectors.com/wp-content/uploads/2021/02/PCI-3DS-驗證-3-步驟-scaled.jpg15642560arthur.lihttps://www.securevectors.com/wp-content/uploads/2024/02/logo.svgarthur.li2021-10-13 11:57:422021-10-13 11:59:39PCI DSS Compliance Process and Requirements
*For more information and inquiries please kindly email us at service@securevectors.com , our experts will answer all your questions as soon as possible.
This article is an introduction to the latest PCI DSS compliance standards process in 2021, as well as an explanation of PCI DSS levels of compliance and their required costs.
PCI DSS Standards
The Payment Card Industry Data Standards (referred to as PCI DSS), is a global industry standard set up by the major international credit card organisations pertaining to the security of cardholder information that flows through their networks. All organisations, whether Merchants or Service Providers, that accept payments or Store, Process and Transmit card data from the major international card organisations must adopt the PCI DSS and protect cardholder information in accordance with the Security Standards.
The PCI DSS is created and managed by the PCI SSC (Payment Industry Security Standards Council and her members consist of VISA Inc., MasterCard, JCB, American Express and Discover.
PCI DSS Compliance Levels
The way to obtain the PCI DSS compliance status is usually via a PCI DSS Assessment. Both Merchants and Service Providers have different levels, which can be seen below (using the regulations provided by VISA)
Merchant Levels
Level
Required Security Certification/Scans
Required Personal/Items
1
Over 6M transactions per year
On-site PCI DSS audit every year and ASV Network Scan every quarter
Complete Self Assessment Questionnaire D (SAQ D) every year and perform ASV network scan every quarter
Merchant
Approved Scan Vendor
When a Merchant or Service Provider is deemed as Level 1, they are required to obtain the services of a QSA (Qualified Security Assessor), which is an approved PCI DSS auditor. The QSA has to perform an on-site audit for the organization and provide a report after the review.
Merchants Level 2-4 or Service Providers Level 2 must fill up a PCI DSS SAQ (Self-Assessment Questionnaire), which can also be assisted by a QSA.
In order to determine the level and you are required to obtain, and the type of SAQ you are required to use, please contact your acquirer.
PCI DSS Audit Process
In general, the PCI DSS audit can be divided into the following phases below:
The initial preparation and consultation phase may take up to 3-5 months, depending on the readiness of the organization that is undergoing the review and the complexity of their systems and their processes.
PCI DSS related costs during and after the review
Systems Related Costs
As PCI DSS will require strong security protection to be implemented such as “One Primary Function Per Server” (Req. 2.2.1), the Web Server, Application Server and DB Server will have to be isolated from each other, if they were put in the same location previously. Similarly, there may be greater hosting equipment requirements (Virtual Servers can be used)
Additionally, PCI DSS requires the establishment of security service components such as DNS Server, NTP Server, FIM Server (File Integrity Management), Log Server etc. therefore the organization may have to obtain more equipment than in the past in order to meet compliance requirements.
PCI DSS related costs during and after the review
Systems Related Costs
As PCI DSS will require strong security protection to be implemented such as “One Primary Function Per Server” (Req. 2.2.1), the Web Server, Application Server and DB Server will have to be isolated from each other, if they were put in the same location previously. Similarly, there may be greater hosting equipment requirements (Virtual Servers can be used)
Additionally, PCI DSS requires the establishment of security service components such as DNS Server, NTP Server, FIM Server (File Integrity Management), Log Server etc. therefore the organization may have to obtain more equipment than in the past in order to meet compliance requirements.
2. Security Equipment Costs
Additional security equipment may need to be purchased (i.e. Firewalls, IPS, IDS, WAF)
3. Data Encryption Costs
PCI DSS requires card data encryption. Organisations will typically use HSM (Hardware Secure Module) hardware encryption to ensure the security of the cardholder data stored.
4. Training Costs
PCI DSS requires employees to undergo Awareness Training, Secure Coding Training, and IRP (Incident Response Plan) drills. In addition, to perform Vulnerability Scans and Penetration Tests, your staff may also have to undergo sufficient technical training to operate these tools.
5. Technical Audit Costs
PCI DSS mandates a number of technical audits, including:
Let us provide an example of a small-to-medium sized Service Provider, who is undergoing the PCI DSS compliance process for the first time. These are the estimated additional expenses:
Section
Expected Extra Costs
Remarks
Systems
5-6 more servers, one-time expenditure of US$15,000
Security Equipment
More WAF, IPS and other systems required, one-time expenditure of US$15,000-20,000
Assuming Intermediate WAF
Data Encryption Equipment
Spend up to US$30,000 in HSM costs
HSM prices vary greatly, software encryption methods can also be used
Training
Training costs up to US$2,500 a year
Can conduct training internally
Technical Audits
Based on the needs of the servers and number of applications may cost between US$30,000-90,000 annually
Others
Registration fees to the card organisations are about US$3,000-5,000 per year
PCI DSS Compliance Fees
In addition to the possible costs above, the PCI DSS Compliance fees and the time required by a QSA to complete the audit depend on the following factors as well.
System Complexity: The number of hosts, the type of OS used by the system, the number of components installed on the system, whether there are multiple OSs used at the same time, whether there are multiple security configurations.
Security Devices and Network Segments: How many security devices there are, such as Firewalls, IPS, IDS, WAF, Switches, Routers, SIEM, DRP etc. These security devices must be set up and updated with proper access controls and logs. We must also check and ensure that the records are kept, and the higher the number, the more complicated the network segment will be, which will increase the time required to audit.
The number of connected acquirers and service providers: The more acquirers there are, the more complicated the data-flows of the system.
Retention and encryption of database and card data: The more diverse the card data flows and the more diverse the types of card data storage, the more requirements there are for encryption and security protections, which leads to more items for auditing.
Number of operation units: The number of stores, number of server rooms used, and the number of offices will also increase the number of days required for review. Bank, telecommunications companies etc. will have a large number of storefronts and offices, which will lead to longer auditing periods required. Backup server rooms that store card data will also be included in the scope of review.
The costs of a PCI DSS audit will also differ by geography, as the PCI SSC has different annual costs for each region. The costs of a QSA is also different in each region. For example, a small-to-medium sized Service Provider in Southeast Asia will require around 3-5 days of on-site assessment and require about a week for the preparation of the report. Excluding transportation costs, a first-time PCI DSS certification may cost between 15,000 USD to 25,000 USD. Of course, the actual price must be estimated based on the variables mentioned above to determine the amount of time required for the audit.
Vincent Huang
Secure Vectors Information Technologies, Inc. - PCI QSA and Senior Consultant
- IT Security Management, Payment Card Industry Security, Data Center Security and Cloud Security
安律國際股份有限公司 Secure Vectors Information Technologies Inc.
Secure Vectors Information Technologies Inc., is a consulting firm specialized in providing payment card related security consulting and assessment services. We provide comprehensive payment card related security consulting and certification services, including PCI DSS, PCI 3DS, PCI PIN Security Standards. Also providing personal data protection, GDPR compliance inspection and other consulting services. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore. With over 70 percent market share in Taiwan and 8 years experiences in PCI compliance, we developed compliance management program and collaborating services to fit every business.
https://www.securevectors.com/wp-content/uploads/2024/06/PCI-DSS-SAQ-type_EN.png21222882arthur.lihttps://www.securevectors.com/wp-content/uploads/2024/02/logo.svgarthur.li2024-06-21 18:15:032024-11-12 14:51:52What is your SAQ Type?
https://www.securevectors.com/wp-content/uploads/2023/12/PCI-DSS-v4.0-意象圖-方版_EN.jpg663960arthur.lihttps://www.securevectors.com/wp-content/uploads/2024/02/logo.svgarthur.li2023-09-15 16:00:522024-09-08 10:48:18How to meet the additional requirement for Service Provider only by PCI DSS v4.0 provision 12.4.2?
https://www.securevectors.com/wp-content/uploads/2023/08/2023-08-01-漏洞修補意象圖-方版_En.jpg720960arthur.lihttps://www.securevectors.com/wp-content/uploads/2024/02/logo.svgarthur.li2023-08-15 17:43:242024-09-08 10:48:28[GCP] Be careful using GCP’s CI/CD service Google Cloud Build!
https://www.securevectors.com/wp-content/uploads/2023/07/20230725-EN-方版.jpg9601280arthur.lihttps://www.securevectors.com/wp-content/uploads/2024/02/logo.svgarthur.li2023-07-31 11:01:212023-07-31 11:02:29【FortiOS】SSL-VPN Major Security Vulnerability (CVE-2023-27997) Have you fixed it?
https://www.securevectors.com/wp-content/uploads/2021/02/PCI-3DS-驗證-3-步驟-scaled.jpg15642560arthur.lihttps://www.securevectors.com/wp-content/uploads/2024/02/logo.svgarthur.li2021-10-13 11:57:422021-10-13 11:59:39PCI DSS Compliance Process and Requirements
*For more information and inquiries please kindly email us at service@securevectors.com , our experts will answer all your questions as soon as possible.
https://www.securevectors.com/wp-content/uploads/2021/02/PCI-3DS-驗證-3-步驟-scaled.jpg15642560arthur.lihttps://www.securevectors.com/wp-content/uploads/2024/02/logo.svgarthur.li2021-10-13 11:57:422021-10-13 11:59:39PCI DSS Compliance Process and Requirements
3D Secure (3DS) is a solution designed to enhance the security of online payment-by-card transactions by authenticating the payer is the rightful owner of the card. All major global card schemes have adopted the common 3DS standards and specification that are managed by the EMVCo. Global card schemes have set liability shift timelines for migration to 3DS transactions while the revised European Payment Services Directive (PSD2) requires Strong Customer Authentication (SCA) for online payments. The newest EMV® 3-D Secure Protocol and Core Functions Specification for the certification of ACS, DS, and 3DSS products is version 2.2.0, while the Payment Card Industry Security Standards Council (PCI SSC) released the PCI 3DS Core Security Standard v1.0 in December 2017. The global payment cards industry has entered into a new 3DS 2.0 era.
3DS Product Certification
3DS product providers and software vendors will need certification of compliance to EMVCo’s 3DS specification as well as card schemes’ secure programs in order to integrate with the card schemes’ Directory Server. You can visit EMVCo’s website for more information on EMVCo’s 3DS product specifications, and Visa Technology Partner website for more information on Visa Secure program and Visa’s EMV 3DS Product Testing.
PCI 3DS Assessment and Certification
Banks and/or payment service providers should adopt the new 3DS 2.0 system to further reduce fraud and improve customer experience for card-not-present online payment transactions. But, who exactly will need to be validated for compliance to the PCI 3DS standard?
Below is a summary of relevant certification requirements based on Visa’s Certification Guide and Checklist for the ACS and 3DSS (Visa’s EMV 3DS Product Certification Guide and Checklist – Access Control Server, and Visa’s EMV 3DS Product Certification Guide and Checklist-3DS Server), as well as our suggestions.
(1) 3DSS Services
If you are a 3DS Server(3DSS) Hosting Services provider or an Acquirer Processor, you need to pass the validation of PCI DSS for 3DE (3DS Data Environment). If you are a Merchant and run your own 3DSS for your operations, you have to pass PCI DSS assessment too. In other words, no businesses should pass the PCI 3DS Standard validation according to Visa’s certification requirement.
(Source: Visa’s EMV 3DS Product Certification Guide and Checklist – 3DS Server Prerequisites)
(2) ACS Services
For ACS services, if you are an ACS Hosting Services Provider or Issuer Processor, you are required to pass both PCI DSS and PCI 3DS assessments for your 3DE (or to pass both Part 1 and Part 2 of PCI 3DS).
But if you are an Issuer, whether you buy an ACS solution or build your own ACS system, you can choose whether to get these assessments. Both standards are not mandated for an Issuer using ACS.
(Source: Visa’s EMV 3DS Product Certification Guide and Checklist – Access Control Server)
(3) Cloud Service and Cloud Service Vendor
For those companies who would like to utilize cloud technologies for their 3DS operations or ACS services, it is very important to verify if the cloud service vendor has been validated by PCI 3DS Standard; both PCI 3DS AOC and ROC should be submitted to the card scheme before it can register as a 3DS services vendor.
(4) HSM (Hardware Security Module)
PCI 3DS Standard requires a high level HSM for the cryptographic management.
Part II 6.1.2 For ACS and DS only: All key management activity for specified cryptographic keys (as defined in the PCI 3DS Data Matrix) is performed using an HSM that is either:
– FIPS 140-2 Level 3 (overall) or higher certified, or
– PCI PTS HSM approved.
If you are planning your ACS services, you should bear in mind to get the right model and level of your HSM. For some Key Management Services (KMS) of Cloud, their security level is only FIPS 140-2 Level 2 (overall), and it will not meet the requirements of PCI 3DS.
How to get PCI 3DS Certification
For those who need to pass the PCI 3DS validation, here are some basic steps for the certification:
(1) Check your PCI DSS compliance
There are two parts to the requirements in PCI 3DS Core Security Standard,
Part 1: Baseline Security Requirements
Part 2: 3DS Security Requirements
The first part is the Baseline Security Requirements which is the equivalent part to PCI DSS. So if you have passed the validation of PCI DSS to the PCI 3DS environment, you don’t need to be validated for Part 1 again. If you have not been validated for PCI DSS, then you can choose to pass PCI 3DS Part I validation or use PCI DSS to validate the PCI 3DS environment. However, since VISA requires ACS Hosting and Issuing Processor to have PCI DSS validation, PCI DSS should be seen as a must.
(2) Confirmed products (ACS, DS, 3DSS) have been approved by EMVCo
Please check whether the software systems you use have been certified by EMVco and card scheme. If you do it by yourself, you have to get the LOA by yourself, and if you get it from your software/solution vendors, let them confirm they have gotten the LOA.
(3) Establish a PCI 3DS environment based on PCI 3DS Secure Standard
Set up your systems, applications, databases and the networks and security components. You can either base them on PCI DSS requirements or PCI 3DS standard Part 1.
If you are going to use a cloud service to build up your PCI 3DS environment, check with your cloud service vendor if they have been validated by PCI 3DS before you use it.
(4) Ensure the security of your 3DS data
Based on the PCI 3DS Data Matrix, all sensitive data should be encrypted when you keep the data in your 3DS environment.
Most 3DS transaction data transferred by API interface between DS, 3DSS, and ACS, the security of data transfer protected by TLS and the relevant certificates issued by card schemes should be in place.
(5) Prepare and implement related procedures and management assignments
PCI 3DS standard requires many accompanying management policies, procedures and risk management strategies. And you will also need to keep the execution records to prove your compliance to the management procedures and PCI 3DS standard.
(6) Technical testing of compliance requirements
Most technical tests are required by PCI DSS or the PCI 3DS Part 1, but you still need to take care the application/development security, code review and testing of the API interfaces should be done before you can get your systems validated.
(7) PCI 3DS Assessment
Engage a PCI 3DS QSA company to do the assessment, based on card scheme requirement, you have to inform your card schemes before you conduct the PCI 3DS Assessment
Assessment takes 3-5 days onsite checking and evidence review, follow the guidance of the QSA company to get the environment ready and keep enough compliance evidence can help you pass the validation more smoothly and quickly.
Secure Vectors Information Technologies Inc.
Secure Vectors Information Technologies, Inc. (SVITI) is a leading professional consulting and certification firm specializing in providing payment card related security consulting and certification services, including PCI DSS, PCI 3DS, and PCI PIN Security Standards. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore, Secure Vectors is a leading company in this space and is recognized for our best-in-class service quality.
Written by Vincent Huang
* QSA and Consultant at Secure Vectors Information Technologies Inc. 20-year experience in IT Security Management, Payment Card Industry Security, Data Center Security and Cloud Security.