PCI DSS
PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data.
WHAT IS PCI DSS DATA SECURITY STANDARD?
PCI DSS (Payment Card Industry Data Security Standards) are a set of security standards defined by major international card brands. They are applicable to all entities that transfer, process and/or store their brands’ card holder data. Merchants or Service Providers, no matter their size or volume of transactions, are required to comply to the PCI DSS standards to protect the card holder data.
PCI DSS is defined by PCI SSC (Payment Card Industry Security Standard Council). The Council is responsible for establishing and managing the PCI DSS standard. American Express、Discover Financial Services、JCB、MasterCard and Visa Inc. are the founding members of this Council and therefore, these standards are applicable to all card holder data of these card brands.
The Standard
PCI DSS is one of the most robust security standards, with 12 Security Domains Requirements under 6 Protection Principles:
| Build and maintain a secure network | 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters |
| Protect cardholder data | 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public network |
| Maintain a vulnerability management program | 5. Protect all systems against malware and regularly update anti-virus software 6. Develop and maintain secure systems and applications |
| Implement strong access control measures | 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data |
| Regularly monitor and test networks | 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes |
| Maintain an information security policy | 12. Maintain a policy that addresses information security for all personnel |
Card Holder Data
The objective of PCI DSS is to protect card holder data. All card transactions are either Card Present or Card not Present. Card Present transaction refers to face to face transaction in physical stores, while Card not Present usually happens refers to online payment or E-Commerce transactions.
These different types of payment transactions touch different card holder data. For a Card Present transaction, sensitive data stored in magnetic stripe or the card’s chip will be processed, while a transaction of Card not Present will only touch the Primary Account Number, Expiry and the Security Code.
Below are the respective security requirements under PCI DSS:
Primary Account Number (Card Number) should be encrypted or rendered unreadable when it is stored, and Sensitive Authorization Data (SAD) are not allowed to be stored in the whole processes.
| Items | Storage Permission | Render Stored Data Unreadable | ||
| Account Data | Cardholder Data | Primary Account Number (PAN) | Yes | Yes |
| Cardholder Name | Yes | No | ||
| Service Code | Yes | No | ||
| Expiration Date | Yes | No | ||
| Sensitive Auth Data | Full Track Data | No | Cannot Store | |
| CAV2/CVC2/CVV2/CID | No | Cannot Store | ||
| PIN/PIN Block | No | Cannot Store |
Consulting Service
PCI DSS implementation can be divided into 4 work phases: Preparation Phase, Inventory Phase, Implementation Phase and Assessment Phase, with the main tasks shown below.
- Scoping
- Card Data Flow Analysis
- PCI DSS Compliance Training
Phase 2 - INVENTORY CHECKING PHASE
- Information assets inventory operation
- Risk assessment operation
- System strengthen audit
- Controls planning (risk treatment plan)
- Payment card data scanning operation
- Internal and external penetration test
- Vulnerability scanning
PHASE 3 - BUILD PHASE
- Information security policy and organizational design
- Documents prepared
- Information security event exercise
- Information security incident management education and training
- Internal and external penetration retest
- Vulnerability scanning repetition measurement
- Wireless detection
PHASE 4 - ASSESSMENT
- PCI DSS Preparation before assessment
- PCI DSS Formal assessment
