Payment Card Industry Data Security Standard: Difference between revisions
Content deleted Content added
m →Validation Compliance: minor fixes |
m Rollback edit(s) by 186.189.95.183 (talk): Reverting good faith edits: better before; see MOS:LEAD (RW 16.1) |
||
| (478 intermediate revisions by more than 100 users not shown) | |||
| Line 1: | Line 1: | ||
{{short description|Set of security requirements for credit card processors}} |
|||
The '''Payment Card Industry Data Security Standard''' (PCI DSS) is a proprietary [[information security]] standard for organizations that handle branded [[credit card]]s from the major card schemes including [[Visa Inc.|Visa]], [[MasterCard]], [[American Express]], [[Discover Card|Discover]], and [[Japan Credit Bureau|JCB]]. The PCI Standard is mandated by the card brands and administered by the [[Payment Card Industry Security Standards Council]]. The standard was created to increase controls around cardholder data to reduce [[credit card fraud]]. Validation of compliance is performed annually, either by an external [[Qualified Security Assessor]] (QSA) or by a firm specific Internal Security Assessor (ISA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes. |
|||
{{Use mdy dates|date=November 2018}} |
|||
The '''Payment Card Industry Data Security Standard''' ('''PCI DSS''') is an [[information security]] standard used to handle [[credit card]]s from major [[card scheme|card brands]]. The standard is administered by the [[Payment Card Industry Security Standards Council]], and its use is mandated by the card brands. It was created to better control cardholder data and reduce [[credit card fraud]]. Validation of compliance is performed annually or quarterly with a method suited to the volume of transactions:<ref name = "PCI DSS" >{{cite web |title=Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2.1 May 2018 |url=https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf |publisher=PCI Security Standards Council, LLC |access-date=September 4, 2018 |archive-date=September 1, 2018 |archive-url=https://web.archive.org/web/20180901212501/https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf |url-status=live }}</ref> |
|||
* Self-assessment questionnaire (SAQ) |
|||
* Firm-specific [[Internal Security Assessor]] (ISA) |
|||
* External [[Qualified Security Assessor]] (QSA) |
|||
==History== |
==History== |
||
The major card brands had five different security programs: |
|||
Five different programs: [[Visa (company)|Visa]]'s [[Cardholder Information Security Program]], [[MasterCard]]'s Site Data Protection, [[American Express]]' Data Security Operating Policy, [[Discover Card|Discover]]'s Information Security and Compliance, and the [[Japan Credit Bureau|JCB]]'s Data Security Program were started by card companies. The intentions of each were roughly similar: to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. |
|||
*[[Visa Inc.|Visa]]'s Cardholder Information Security Program |
|||
*[[Mastercard]]'s Site [[Data Protection]] |
|||
The Payment Card Industry Security Standards Council (PCI SSC) was then formed and these companies aligned their individual policies to create the PCI DSS. |
|||
*[[American Express]]'s Data Security Operating Policy |
|||
*[[Discover Card|Discover]]'s Information Security and Compliance |
|||
There have been a number of versions: |
|||
*[[JCB (credit card company)|JCB]]'s Data Security Program |
|||
The intentions of each were roughly similar: to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process, and transmit cardholder data. To address interoperability problems among the existing standards, the combined effort by the principal credit-card organizations resulted in the release of version 1.0 of PCI DSS in December 2004.{{Citation needed|date=September 2022}} PCI DSS has been implemented and followed worldwide. |
|||
* 1.0 was released on December 15, 2004. |
|||
* 1.1 in September 2006 provide clarification and minor revisions. |
|||
* 1.2 was released on October 1, 2008. It enhanced clarity, improved flexibility, and addressed evolving risks and threats. |
|||
* 1.2.1 in August 2009 made minor corrections designed to create more clarity and consistency among the standards and supporting documents. |
|||
* 2.0 was released in October 2010.<ref>{{cite web |url=https://www.pcisecuritystandards.org/pdfs/pr_101028_standards_2.0.pdf |title=PCI SECURITY STANDARDS COUNCIL RELEASES VERSION 2.0 OF THE PCI DATA SECURITY STANDARD AND PAYMENT APPLICATION DATA SECURITY STANDARD |
|||
|publisher=PCI Security Standards Council |
|||
|format=PDF |accessdate=2014-10-14}}</ref> |
|||
* 3.0 was released in November 2013 and is active from January 1, 2014 to December 31, 2017. |
|||
* 3.1 was released in April 2015, and will be retired October 31 2016. |
|||
* 3.2 was released in April 2016.<ref>{{Cite web|title = Preparing for PCI DSS 3.2: What to Expect in 2016|url = http://blog.pcisecuritystandards.org/preparing-for-pci-dss-32|website = blog.pcisecuritystandards.org|access-date = 2016-02-18|first = Laura|last = Johnson}}</ref> |
|||
==Requirements== |
|||
The PCI Data Security Standard specifies twelve requirements for compliance, organized into six logically related groups called "control objectives". |
|||
The Payment Card Industry Security Standards Council (PCI SSC) was then formed, and these companies aligned their policies to create the PCI DSS.<ref>{{Cite journal|last1=Liu|first1=Jing|last2=Xiao|first2=Yang|last3=Chen|first3=Hui|last4=Ozdemir|first4=Suat|last5=Dodle|first5=Srinivas|last6=Singh|first6=Vikas|date=2010|title=A Survey of Payment Card Industry Data Security Standard|journal=IEEE Communications Surveys & Tutorials|volume=12|issue=3|pages=287–303|doi=10.1109/SURV.2010.031810.00083|s2cid=18117838}}</ref> MasterCard, American Express, Visa, JCB International and Discover Financial Services established the PCI SSC in September 2006 as an administrative and governing entity which mandates the evolution and development of the PCI DSS.<ref>{{Cite web |title=About Us |url=https://www.pcisecuritystandards.org/about_us/ |access-date=2022-12-15 |website=PCI Security Standards Council |language=en-US |archive-date=April 2, 2022 |archive-url=https://web.archive.org/web/20220402184432/https://www.pcisecuritystandards.org/about_us/ |url-status=live }}</ref> Independent private organizations can participate in PCI development after they register. Each participating organization joins a SIG (Special Interest Group) and contributes to activities mandated by the group. The following versions of the PCI DSS have been made available:<ref name="PCIDSSLibrary">{{cite web |url=https://www.pcisecuritystandards.org/document_library |title=Document Library |publisher=PCI Security Standards Council |access-date=2020-11-12 |archive-date=November 7, 2020 |archive-url=https://web.archive.org/web/20201107125138/https://www.pcisecuritystandards.org/document_library |url-status=live }}</ref> |
|||
Each version of PCI DSS has divided these twelve requirements into a number of sub-requirements differently, but the twelve high-level requirements have not changed since the inception of the standard. |
|||
{| |
{|class="wikitable"> |
||
! Version !! Date !! Notes |
|||
|- |
|- |
||
| 1.0 |
|||
! Control objectives |
|||
| December 15, 2004 |
|||
! PCI DSS requirements |
|||
| |
|||
|- |
|- |
||
| 1.1 |
|||
|rowspan="2"| Build and maintain a secure network |
|||
| September 2006 |
|||
| 1. Install and maintain a [[Firewall (computing)|firewall]] configuration to protect cardholder data |
|||
| clarification and minor revisions |
|||
|- |
|- |
||
| 1.2 |
|||
| 2. Do not use vendor-supplied defaults for system [[password]]s and other security parameters |
|||
| October 2008 |
|||
| enhanced clarity, improved flexibility, and addressed evolving risks and threats |
|||
|- |
|- |
||
| 1.2.1 |
|||
|rowspan="2"| Protect cardholder data |
|||
| July 2009 |
|||
| 3. Protect stored cardholder data |
|||
| minor corrections designed to create more clarity and consistency among the standards and supporting documents |
|||
|- |
|- |
||
| 2.0 |
|||
| 4. Encrypt transmission of cardholder data across open, public networks |
|||
| October 2010 |
|||
| |
|||
|- |
|- |
||
| 3.0 |
|||
|rowspan="2"| Maintain a vulnerability management program |
|||
| November 2013 |
|||
| 5. Use and regularly update anti-virus software on all systems commonly affected by malware |
|||
| active from January 1, 2014 to June 30, 2015 |
|||
|- |
|- |
||
| 3.1 |
|||
| 6. Develop and maintain secure systems and applications |
|||
| April 2015 |
|||
| retired since October 31, 2016 |
|||
|- |
|- |
||
| 3.2 |
|||
|rowspan="3"| Implement strong access control measures |
|||
| April 2016 |
|||
| 7. Restrict access to cardholder data by business need-to-know |
|||
| retired since December 31, 2018 |
|||
|- |
|- |
||
| 3.2.1 |
|||
| 8. Assign a unique ID to each person with computer access |
|||
| May 2018 |
|||
| retired since March 31, 2024 |
|||
|- |
|- |
||
| 4.0 |
|||
| 9. Restrict physical access to cardholder data |
|||
| March 2022 |
|||
|- |
|||
| updated firewall terminology, expansion of Requirement 8 to implement multi-factor authentication (MFA), increased flexibility to demonstrate security, and targeted risk analyses to establish risk exposure operation and management<ref>{{Cite web |publisher=PCI Security Standards Council |date=March 31, 2022 |title=Securing the Future of Payments: PCI SSC Publishes PCI Data Security Standard v4.0 |url=https://www.pcisecuritystandards.org/about_us/press_releases/pr_03312022 |access-date=April 8, 2022 |archive-date=April 9, 2022 |archive-url=https://web.archive.org/web/20220409113047/https://www.pcisecuritystandards.org/about_us/press_releases/pr_03312022 |url-status=live }}</ref> |
|||
|rowspan="2"| Regularly monitor and test networks |
|||
| 10. Track and monitor all access to network resources and cardholder data |
|||
|- |
|||
| 11. Regularly test security systems and processes |
|||
|- |
|||
| Maintain an information security policy |
|||
| 12. Maintain a policy that addresses information security |
|||
|} |
|} |
||
==Requirements== |
|||
==Updates and supplemental information== |
|||
The PCI DSS has twelve requirements for compliance, organized into six related groups known as control objectives:<ref name="Objectives">{{cite web |url=https://www.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf?agreement=true |format=PDF |title=PCI DSS Quick Reference Guide |access-date=2020-11-12 |archive-date=November 12, 2020 |archive-url=https://web.archive.org/web/20201112200008/https://www.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf?agreement=true |url-status=live }}</ref> |
|||
The PCI SSC has released several supplemental pieces of information to clarify various requirements. These documents include the following |
|||
* Information Supplement: Requirement 11.3 Penetration Testing<ref>{{cite web|url=https://www.pcisecuritystandards.org/documents/information_supplement_11.3.pdf |title=Information Supplement: Requirement 11.3 Penetration Testing |format=PDF |accessdate=2014-06-24}}</ref> |
|||
* Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified<ref>{{cite web|url=https://www.pcisecuritystandards.org/pdfs/infosupp_6_6_applicationfirewalls_codereviews.pdf |title=Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified |format=PDF |accessdate=2014-06-24}}</ref> |
|||
* Navigating the PCI DSS - Understanding the Intent of the Requirements<ref>{{cite web|url=https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_navigating_dss.pdf |title=Navigating the PCI DSS - Understanding the Intent of the Requirements |format=PDF |accessdate=2014-06-24}}</ref> |
|||
* Information Supplement: PCI DSS Wireless Guidelines<ref name="PCI DSS Wireless Guidelines">{{cite web|title= PCI DSS Wireless Guidelines|url=https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guidelines.pdf|accessdate=2009-07-16}}</ref> |
|||
# Build and maintain a [[Transport Layer Security|secure network]] and systems |
|||
==Validation Compliance== |
|||
# Protect cardholder data |
|||
# Maintain a vulnerability management program |
|||
# Implement strong access-control measures |
|||
# Regularly monitor and test networks |
|||
# Maintain an information security policy |
|||
Each PCI DSS version has divided these six requirement groups differently, but the twelve requirements have not changed since the inception of the standard. Each requirement and sub-requirement is divided into three sections: |
|||
===Qualified Security Assessor (QSA)=== |
|||
# PCI DSS requirements: Define the requirement. The PCI DSS endorsement is made when the requirement is implemented. |
|||
{{main|Qualified Security Assessor}} |
|||
# Testing: The processes and methodologies carried out by the assessor for the confirmation of proper implementation. |
|||
A Qualified Security Assessor is a certificate that has been provided by the PCI Security Standards Council. This Certified person can audit merchants for Payment Card Industry Data Security Standard (PCI DSS) compliance.<ref>{{cite news|last1=Rouse|first1=Margaret|title=Qualified Security Assessor (QSA)|url=http://searchsecurity.techtarget.com/definition/Qualified-Security-Assessor-QSA|accessdate=3 August 2016}}</ref> |
|||
# Guidance: Explains the purpose of the requirement and the corresponding content, which can assist in its proper definition. |
|||
In version 3.2.1 of the PCI DSS, the twelve requirements are: |
|||
===Report on Compliance (ROC)=== |
|||
# Install and maintain a [[Firewall (computing)|firewall]] system to protect cardholder data. |
|||
A Report on Compliance is a form that has to be filled by all level 1 merchants Visa merchants undergoing a PCI DSS (Payment Card Industry Data Security Standard) audit.The ROC form is used to verify that the merchants being audited is compliant with the PCI DSS standard.<ref>{{cite news|last1=Rouse|first1=Margaret|title=Report on Compliance (ROC)|url=http://searchsecurity.techtarget.com/definition/Report-on-Compliance-ROC|accessdate=3 August 2016}}</ref> |
|||
# Avoid vendor-supplied defaults for system passwords and other security parameters. |
|||
# Protect stored cardholder data. |
|||
# Encrypt transmission of cardholder data on open, public networks. |
|||
# Protect all systems against malware, and update anti-virus software or programs. |
|||
# Develop and maintain secure systems and applications. |
|||
# Restrict access to cardholder data by business [[need to know]]. |
|||
# Identify and authenticate access to system components. |
|||
# Restrict physical access to cardholder data. |
|||
# Track and monitor access to network resources and cardholder data. |
|||
# Regularly test security systems and processes. |
|||
# Maintain an information security policy which addresses [[information security]] for all personnel. |
|||
==Updates and supplemental information== |
|||
===Self-Assessment Questionnaire (SAQ)=== |
|||
The PCI SSC (Payment Card Industry Security Standards Council) has released supplemental information to clarify requirements, which includes: |
|||
The Self-Assessment Questionnaire is a set of Questionnaires documents that merchants are required to complete each and every year and submit to their transaction Bank. <ref>{{cite web|title=SAQ - SELF ASSESSMENT QUESTIONNAIRE|url=https://www.hackerguardian.com/pci-saq.html|accessdate=3 August 2016}}</ref> |
|||
* Information Supplement: Requirement 11.3 Penetration Testing |
|||
* Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified |
|||
* Navigating the PCI DSS - Understanding the Intent of the Requirements |
|||
* PCI DSS Wireless Guidelines<ref>{{cite web |title=Information Supplement: PCI DSS Wireless Guidelines |url=https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Wireless_Guidelines.pdf |date=August 26, 2011 |access-date=August 8, 2018 |archive-date=October 31, 2018 |archive-url=https://web.archive.org/web/20181031145315/https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Wireless_Guidelines.pdf |url-status=live }}</ref> |
|||
* PCI DSS Applicability in an EMV Environment |
|||
* Prioritized Approach for PCI DSS |
|||
* Prioritized Approach Tool |
|||
* PCI DSS Quick Reference Guide |
|||
* PCI DSS Virtualization Guidelines |
|||
* PCI DSS Tokenization Guidelines |
|||
* PCI DSS 2.0 Risk Assessment Guidelines |
|||
* The lifecycle for Changes to the PCI DSS and PA-DSS |
|||
* Guidance for PCI DSS Scoping and Segmentation |
|||
* PCI DSS v4.0 Resource Hub<ref>{{cite web|url=https://blog.pcisecuritystandards.org/pci-dss-v4-0-resource-hub|title=PCI DSS v4.0 Resource Hub|access-date=March 24, 2023|archive-date=March 23, 2023|archive-url=https://web.archive.org/web/20230323194606/https://blog.pcisecuritystandards.org/pci-dss-v4-0-resource-hub|url-status=live}}</ref> |
|||
==Reporting levels== |
|||
==Compliance versus validation of compliance== |
|||
Companies subject to PCI DSS standards must be PCI-compliant; how they prove and report their compliance is based on their annual number of transactions and how the transactions are processed. An [[Acquiring bank|acquirer]] or payment brand may manually place an organization into a reporting level at its discretion.<ref>{{Cite web|url=https://www.pcisecuritystandards.org/|title=Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards|website=www.pcisecuritystandards.org|access-date=February 21, 2007|archive-date=September 2, 2019|archive-url=https://web.archive.org/web/20190902032456/https://www.pcisecuritystandards.org/|url-status=live}}</ref> Merchant levels are: |
|||
* Level 1 – Over six million transactions annually |
|||
* Level 2 – Between one and six million transactions |
|||
* Level 3 – Between 20,000 and one million transactions, and all e-commerce merchants |
|||
* Level 4 – Less than 20,000 transactions |
|||
Each card issuer maintains a table of compliance levels and a table for service providers.<ref>{{Cite web | url=https://www.visaeurope.com/receiving-payments/security/merchants | title=Visa in Europe | access-date=February 8, 2019 | archive-date=February 9, 2019 | archive-url=https://web.archive.org/web/20190209124508/https://www.visaeurope.com/receiving-payments/security/merchants | url-status=live }}</ref><ref>{{Cite web|url=https://www.mastercard.us/en-us/merchants/safety-security/security-recommendations/merchants-need-to-know.html|title=Things Merchants Need to Know | Process Payment Data & Secured Transactions | Mastercard|website=www.mastercard.us|access-date=February 8, 2019|archive-date=February 9, 2019|archive-url=https://web.archive.org/web/20190209124526/https://www.mastercard.us/en-us/merchants/safety-security/security-recommendations/merchants-need-to-know.html|url-status=live}}</ref> |
|||
Although the PCI DSS must be implemented by all entities that process, store or transmit cardholder data, formal validation of PCI DSS compliance is not mandatory for all entities. Currently both [[Visa Inc.|Visa]] and [[MasterCard]] require merchants and service providers to be validated according to the PCI DSS. Visa also offers an alternative program called the Technology Innovation Program (TIP) that allows qualified merchants to discontinue the annual PCI DSS validation assessment. These merchants are eligible if they are taking alternative precautions against counterfeit fraud such as the use of [[EMV]] or [[Point to Point Encryption]] (P2PE) technology, however they are still required to be PCI DSS compliant.<ref>{{Cite web|title = Technology Innovation Program Expanded to Merchants That Implement Point-to-Point Encryption -|url = https://www.bluefin.com/industry-news/technology-innovation-program-expanded-merchants-point-to-point-encryption/|website = Bluefin Payment Systems|access-date = 2016-02-17|language = en-US}}</ref> Smaller merchants and service providers are not required to explicitly validate compliance with each of the controls prescribed by the PCI DSS although these organizations must still implement all controls in order to maintain safe-harbour and avoid potential liability in the event of fraud associated with theft of cardholder data. |
|||
=={{anchor|Validation of compliance}}Compliance validation== |
|||
Issuing banks are not required to go through PCI DSS validation although they still have to secure the sensitive data in a PCI DSS compliant manner. Acquiring banks are required to comply with PCI DSS as well as to have their compliance validated by means of an audit.<ref>{{cite web |url=https://www.hackerguardian.com/hackerguardian/learn/pci-scan-compliancy.html |title= PCI Compliance scan |accessdate=2015-02-12}}</ref> |
|||
Compliance validation involves the evaluation and confirmation that the security controls and procedures have been implemented according to the PCI DSS. Validation occurs through an annual assessment, either by an external entity, or by self-assessment.<ref name="PCI_Validation">{{cite web |last1=PCI Security Standards Council |title=Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2 |url=https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf |publisher=PCI Security Standards Council, LLC |access-date=September 4, 2018 |archive-date=July 19, 2023 |archive-url=https://web.archive.org/web/20230719023959/https://www.pcisecuritystandards.org/document_library/?category=pcidss&document=pci_dss |url-status=live }}</ref> |
|||
==={{anchor|Report on Compliance (ROC)}}Report on Compliance=== |
|||
In the event of a security breach, any compromised entity which was not PCI DSS compliant at the time of breach will be subject to additional card scheme penalties, such as fines. |
|||
A Report on Compliance (ROC) is conducted by a PCI Qualified Security Assessor (QSA) and is intended to provide independent validation of an entity's compliance with the PCI DSS standard. A completed ROC results in two documents: a ROC Reporting Template populated with detailed explanation of the testing completed, and an Attestation of Compliance (AOC) documenting that a ROC has been completed and the overall conclusion of the ROC. |
|||
==={{anchor|Self-Assessment Questionnaire (SAQ)}}Self-Assessment Questionnaire=== |
|||
==Mandated compliance== |
|||
The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool intended for small to medium sized merchants and service providers to assess their own PCI DSS compliance status. There are multiple types of SAQ, each with a different length depending on the entity type and payment model used. Each SAQ question has a yes-or-no answer, and any "no" response requires the entity to indicate its future implementation. As with ROCs, an attestation of compliance (AOC) based on the SAQ is also completed. |
|||
Compliance with PCI DSS is not required by federal law in the [[United States]]. However, the laws of some U.S. states either refer to PCI DSS directly, or make equivalent provisions. |
|||
===Security Assessors=== |
|||
In 2007, Minnesota enacted a law prohibiting the retention of payment card data.<ref>{{cite web |title=Minnesota Session Laws - CHAPTER 108--H.F.No. 1758 |accessdate=2014-11-04}}</ref> |
|||
The PCI Security Standards Council maintains a program to certify companies and individuals to perform assessment activities. |
|||
===={{anchor|Qualified Security Assessor (QSA)}}Qualified Security Assessor==== |
|||
In 2009, Nevada incorporated the standard into state law, requiring compliance of merchants doing business in that state with the current PCI DSS, and shields compliant entities from liability.<ref>[http://www.leg.state.nv.us/Division/Legal/LawLibrary/NRS/NRS-603A.html Nevada Revised Statutes, Chap. 603A] §215.</ref> |
|||
A [[Qualified Security Assessor]] (QSA) is an individual certified by the PCI Security Standards Council to validate another entity's PCI DSS compliance. QSAs must be employed and sponsored by a QSA Company, which also must be certified by the PCI Security Standards Council.<ref>{{cite web |title=Qualified Security Assessors |url=https://listings.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors |publisher=PCI Security Standards Council |access-date=May 18, 2023 |archive-date=May 18, 2023 |archive-url=https://web.archive.org/web/20230518054629/https://listings.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors |url-status=live }}</ref><ref>{{cite web |title=Qualification Requirements for Qualified Security Assessors (QSA) |url=https://docs-prv.pcisecuritystandards.org/Programs%20and%20Certification/Qualified%20Security%20Assessor%20(QSA)/QSA_Qualification_Requirements_v4.0.pdf |publisher=PCI Security Standards Council}}</ref> |
|||
===={{anchor|Internal Security Assessor (ISA)}}Internal Security Assessor ==== |
|||
In 2010, Washington also incorporated the standard into state law. Unlike Nevada's law, entities are not required to be compliant to PCI DSS, but compliant entities are shielded from liability in the event of a data breach.<ref>{{cite web |url=http://apps.leg.wa.gov/documents/billdocs/2009-10/Pdf/Bills/Session%20Laws/House/1149-S2.SL.pdf |title=Wash. Rev. Code § 19.255.020 (2011) |format=PDF |accessdate=2014-04-11}}</ref> |
|||
An [[Internal Security Assessor]] (ISA) is an individual who has earned a certificate from the PCI Security Standards Council for their sponsoring organization, and can conduct PCI self-assessments for their organization. The ISA program was designed to help Level 2 merchants meet Mastercard compliance validation requirements.<ref name="FierceRetail 2010">{{cite web | title=Avoid Paying For PCI Certification You Don't Need | website=FierceRetail | date=May 12, 2010 | url=https://www.fierceretail.com/operations/avoid-paying-for-pci-certification-you-don-t-need | access-date=March 26, 2018 |url-status=dead |archive-url=https://web.archive.org/web/20220517002903/https://www.fierceretail.com/operations/avoid-paying-for-pci-certification-you-don-t-need |archive-date=2022-05-17}}</ref> ISA certification empowers an individual to conduct an appraisal of his or her association and propose security solutions and controls for PCI DSS compliance. ISAs are in charge of cooperation and participation with QSAs.<ref name="PCI_Validation" /> |
|||
==Compliance |
==Compliance versus validation of compliance== |
||
Although the PCI DSS must be implemented by all entities which process, store or transmit cardholder data, formal validation of PCI DSS compliance is not mandatory for all entities. [[Visa Inc.|Visa]] and [[Mastercard]] require merchants and service providers to be validated according to the PCI DSS; Visa also offers a Technology Innovation Program (TIP), an alternative program which allows qualified merchants to discontinue the annual PCI DSS validation assessment. Merchants are eligible if they take alternative precautions against fraud, such as the use of [[EMV]] or [[point-to-point encryption]]. |
|||
In July 2009, the [[Payment Card Industry Security Standards Council]] published wireless guidelines<ref name="PCI DSS Wireless Guidelines"/> for PCI DSS recommending the use of [[wireless intrusion prevention system]] (WIPS) to automate wireless scanning for large organizations. Wireless guidelines clearly define how wireless security applies to PCI DSS 1.2 compliance.<ref>{{cite web|title= Don’t Let Wireless Detour your PCI Compliance |url= http://www.airtightnetworks.com/fileadmin/pdf/whitepaper/PCI_Wireless_Whitepaper.pdf|accessdate=2009-07-22}}</ref> |
|||
[[Issuing bank]]s are not required to undergo PCI DSS validation, although they must secure sensitive data in a PCI DSS-compliant manner. Acquiring banks must comply with PCI DSS and have their compliance validated with an [[audit]]. In a security breach, any compromised entity which was not PCI DSS-compliant at the time of the breach may be subject to additional penalties (such as fines) from card brands or acquiring banks. |
|||
These guidelines apply to the deployment of [[wireless LAN]] (WLAN) in Cardholder Data Environments, also known as <abbr title="Cardholder Data Environments">CDE</abbr>s. A <abbr title="Cardholder Data Environments">CDE</abbr> is defined as a network environment that possesses or transmits credit card data.<ref>{{cite web|url=https://www.pcisecuritystandards.org/security_standards/glossary.php |title=Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations and Acronyms |publisher=Pcisecuritystandards.org |accessdate=2014-06-24}}</ref> |
|||
==Legislation in the United States== |
|||
===Wireless LAN and CDE classification=== |
|||
Compliance with PCI DSS is not required by federal law in the [[United States]], but the laws of some states refer to PCI DSS directly or make equivalent provisions. Legal scholars Edward Morse and Vasant Raval have said that by enshrining PCI DSS compliance in legislation, card networks reallocated the cost of fraud from card issuers to merchants.<ref name=morse /> |
|||
PCI DSS wireless guidelines classify <abbr title="Cardholder Data Environments">CDE</abbr>s into three scenarios depending on how wireless LANs are deployed. |
|||
In 2007, Minnesota enacted a law prohibiting the retention of some types of payment-card data more than 48 hours after authorization of a transaction.<ref>James T. Graves, ''[https://heinonline.org/HOL/P?h=hein.journals/wmitch34&i=1125 Minnesota's PCI Law: A Small Step on the Path to a Statutory Duty of Data Security Due Care'] {{Webarchive|url=https://web.archive.org/web/20200806082321/https://heinonline.org/HOL/P?h=hein.journals/wmitch34&i=1125 |date=August 6, 2020 }}'' William Mitchell Law Review 34, no. 3 (2008): 1115-1146</ref><ref>{{Cite web |url=https://www.revisor.mn.gov/statutes/cite/325E.64 |title=MINN. STAT. § 325E.64 |access-date=October 10, 2019 |archive-date=October 10, 2019 |archive-url=https://web.archive.org/web/20191010174007/https://www.revisor.mn.gov/statutes/cite/325E.64 |url-status=live }}</ref> Nevada incorporated the standard into state law two years later, requiring compliance by merchants doing business in that state with the current PCI DSS and shielding compliant entities from liability. The Nevada law also allows merchants to avoid liability by other approved security standards.<ref>{{Cite web |url=https://www.leg.state.nv.us/NRS/NRS-603A.html |title=NEV. REV. STAT. § 603A.215 |access-date=October 10, 2019 |archive-date=October 1, 2019 |archive-url=https://web.archive.org/web/20191001180747/https://www.leg.state.nv.us/NRS/NRS-603A.html |url-status=live }}</ref><ref name="morse">Edward A. Morse; Vasant Raval, ''[https://heinonline.org/HOL/P?h=hein.journals/depbcl10&i=217 Private Ordering in Light of the Law: Achieving Consumer Protection through Payment Card Security Measures] {{Webarchive|url=https://web.archive.org/web/20200806125900/https://heinonline.org/HOL/P?h=hein.journals/depbcl10&i=217 |date=August 6, 2020 }}'' DePaul Business & Commercial Law Journal 10, no. 2 (Winter 2012): 213-266</ref> In 2010, [[Washington (state)|Washington]] also incorporated the standard into state law. Unlike Nevada's law, entities are not required to be PCI DSS-compliant; however, compliant entities are shielded from liability in the event of a data breach.<ref>{{Cite web |url=http://leg.wa.gov/CodeReviser/documents/sessionlaw/2010pam1.pdf |title=2010 Wash. Sess. Laws 1055, § 3. |access-date=October 10, 2019 |archive-date=July 28, 2019 |archive-url=https://web.archive.org/web/20190728151212/http://leg.wa.gov/CodeReviser/documents/sessionlaw/2010pam1.pdf |url-status=live }}</ref><ref name=morse/> |
|||
* '''No known WLAN AP inside or outside the <abbr title="Cardholder Data Environments">CDE</abbr>''': The organization has not deployed any WLAN AP. In this scenario, three minimum scanning requirements (Sections 11.1, 11.4 and 12.9) of the PCI DSS apply. |
|||
* '''Known WLAN AP outside the <abbr title="Cardholder Data Environments">CDE</abbr>''': The organization has deployed WLAN APs outside the <abbr title="Cardholder Data Environments">CDE</abbr>. These WLAN APs are segmented from the <abbr title="Cardholder Data Environments">CDE</abbr> by a firewall. There are no known WLAN APs inside the <abbr title="Cardholder Data Environments">CDE</abbr>. In this scenario, three minimum scanning requirements (Sections 11.1, 11.4 and 12.9) of the PCI DSS apply. |
|||
* '''Known WLAN AP inside the <abbr title="Cardholder Data Environments">CDE</abbr>''': The organization has deployed WLAN APs inside the <abbr title="Cardholder Data Environments">CDE</abbr>. In this scenario, three minimum scanning requirements (Sections 11.1, 11.4 and 12.9), as well as six secure deployment requirements (Sections 2.1.1, 4.1.1, 9.1.3, 10.5.4, 10.6 and 12.3) of the PCI DSS apply. |
|||
=={{anchor|Controversies and criticisms|Compliance and compromises}}Controversy and criticism== |
|||
Key sections of PCI DSS 1.2 that are relevant for wireless security are classified and defined below. |
|||
Visa and Mastercard impose fines for non-compliance. Stephen and Theodora "Cissy" McComb, owners of Cisero's Ristorante and Nightclub in [[Park City, Utah]], were fined for a breach for which two forensics firms could not find evidence: |
|||
{{quote|The McCombs assert that the PCI system is less a system for securing customer card data than a system for raking in profits for the card companies via fines and penalties. Visa and MasterCard impose fines on merchants even when there is no fraud loss at all, simply because the fines are "profitable to them," the McCombs say.<ref>{{cite magazine|url=https://www.wired.com/2012/01/pci-lawsuit/ |title=Rare Legal Fight Takes on Credit Card Company Security Standards and Fines |magazine=Wired |date=January 11, 2012 |access-date=March 30, 2019|last1=Zetter |first1=Kim }}</ref>}} |
|||
===Secure deployment requirements for wireless LANs=== |
|||
These secure deployment requirements apply to only those organizations that have a known WLAN AP inside the <abbr title="Cardholder Data Environments">CDE</abbr>. The purpose of these requirements is to deploy WLAN APs with proper safeguards. |
|||
* '''Section 2.1.1 Change Defaults''': Change default passwords, SSIDs on wireless devices. Enable WPA or WPA2 security. |
|||
* '''Section 4.1.1 802.11i Security''': Set up APs in WPA or WPA2 mode with 802.1X authentication and AES encryption. Use of WEP in <abbr title="Cardholder Data Environments">CDE</abbr> is not allowed after June 30, 2010. |
|||
* '''Section 9.1.3 Physical Security''': Restrict physical access to known wireless devices. |
|||
* '''Section 10.5.4 Wireless Logs''': Archive wireless access centrally using a WIPS for 1 year. |
|||
* '''Section 10.6 Log Review''': Review wireless access logs daily. |
|||
* '''Section 12.3 Usage Policies''': Develop usage policies to list all wireless devices regularly. Develop usage possible for the use of wireless devices. |
|||
Michael Jones, [[Chief information officer|CIO]] of [[Michaels]], testified before a U.S. Congressional subcommittee about the PCI DSS: |
|||
===Minimum scanning requirements for wireless LAN=== |
|||
These minimum scanning requirements apply to all organizations regardless of the type of wireless LAN deployment in the <abbr title="Cardholder Data Environments">CDE</abbr>. The purpose of these requirements is to eliminate any rogue or unauthorized WLAN activity inside the <abbr title="Cardholder Data Environments">CDE</abbr>. |
|||
* '''Section 11.1 Quarterly Wireless Scan''': Scan '''all''' sites with <abbr title="Cardholder Data Environments">CDE</abbr>s whether or not they have known WLAN APs in the <abbr title="Cardholder Data Environments">CDE</abbr>. Sampling of sites is not allowed. A WIPS is recommended for large organizations since it is not possible to manually scan or conduct a walk-around wireless security audit<ref>{{cite web|title=Walk Around Wireless Security Audits – The End Is Near|url=http://www.airtightnetworks.com/fileadmin/pdf/whitepaper/WP_WalkAroundWireless.pdf|accessdate=2009-07-22}}</ref> of all sites on a quarterly basis |
|||
* '''Section 11.4 Monitor Alerts''': Enable automatic WIPS alerts to instantly notify personnel of rogue devices and unauthorized wireless connections into the <abbr title="Cardholder Data Environments">CDE</abbr>. |
|||
* '''Section 12.9 Eliminate Threats''': Prepare an '''incident response plan''' to monitor and respond to alerts from the WIPS. Enable automatic containment mechanism on WIPS to block rogues and unauthorized wireless connections. |
|||
{{quote|[The PCI DSS requirements] are very expensive to implement, confusing to comply with, and ultimately subjective, both in their interpretation and in their enforcement. It is often stated that there are only twelve "Requirements" for PCI compliance. In fact there are over 220 sub-requirements; some of which can place an ''incredible burden on a retailer'' and ''many of which are subject to interpretation''.<ref>{{cite journal |url=https://www.hsdl.org/?abstract&did=27800 |title=Do the Payment Card Industry Data Standards Reduce Cybercrime? A Hearing before the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the Committee on Homeland Security, House of Representatives, One Hundred Eleventh Congress, First Session, March 31, 2009. |publisher=GPO |date=March 31, 2009 |access-date=March 30, 2019 |archive-date=March 30, 2019 |archive-url=https://web.archive.org/web/20190330120636/https://www.hsdl.org/?abstract&did=27800 |url-status=live }}</ref>}} |
|||
==PCI compliance in call centers== |
|||
The PCI DSS may compel businesses pay more attention to IT security, even if minimum standards are not enough to eradicate security problems. [[Bruce Schneier]] spoke in favor of the standard: |
|||
{{tone|date=July 2016}} |
|||
{{quote|Regulation—SOX, [[Health Insurance Portability and Accountability Act|HIPAA]], GLBA, the credit-card industry's PCI, the various disclosure laws, the European Data Protection Act, whatever—has been the best stick the industry has found to beat companies over the head with. And it works. Regulation forces companies to take security more seriously, and sells more products and services.<ref>{{cite web |url=https://www.schneier.com/news/archives/2008/01/bruce_schneier_refle.html |title=Bruce Schneier Reflects on a Decade of Security Trends |publisher=Schneier on Security |date=January 15, 2008 |access-date=March 8, 2019 |archive-date=March 3, 2019 |archive-url=https://web.archive.org/web/20190303005705/https://www.schneier.com/news/archives/2008/01/bruce_schneier_refle.html |url-status=live }}</ref>}} |
|||
While the PCI DSS standards are very explicit about the requirements for the back end storage and access of CHD ([[Card Holder Data]]), the Payment Card Industry Security Standards Council has said very little about the collection of that information on the front end, whether through websites, [[interactive voice response]] systems or call center agents. This is surprising, given the high threat potential for [[credit card fraud]] and data compromise that [[call centers]] pose.<ref>{{cite news | url=http://news.bbc.co.uk/2/hi/uk_news/7953401.stm| title= Overseas credit card scam exposed| work= bbc.co.uk.com |date= March 19, 2009| first=Allan| last=Little}}</ref><ref>{{cite news | last=Loviglio | first=Joann| url= http://www.msnbc.msn.com/id/46874551/ns/technology_and_science-security/| title= If Microsoft co-founder's ID isn't safe, is yours? | publisher= MSNBC |date= March 2012}}</ref> |
|||
[[Payment card industry|PCI]] Council general manager Bob Russo responded to objections by the [[National Retail Federation]]: |
|||
In a call center, customers read their credit card information, [[Card Verification Value|CVV]] codes, and expiration dates to call center agents. There are few controls which prevent the agent from [[skimming (credit card fraud)]] this information with a recording device or a computer or physical note pad. Moreover, almost all call centers deploy some kind of [[call recording software]], which is capturing and storing all of this sensitive consumer data. These recordings are accessible by a host of call center personnel, are often unencrypted, and generally do not fall under the PCI DSS standards outlined here.<ref>{{cite web|title=PCI Compliance in the Call Center a Headache for Many|url=http://searchcrm.techtarget.com/news/2240031378/PCI-compliance-in-the-call-center-a-headache-for-many|publisher=searchcrm.com|accessdate=2011-01-28}}</ref> Home-based telephone agents pose an additional level of challenges, requiring the company to secure the channel from the home-based agent through the call center hub to the retailer applications.<ref>{{cite web|title=PCI Compliance: What it Means to the Call Center Industry|url=http://callcenterinfo.tmcnet.com/analysis/articles/20732-pci-compliance-what-it-means-the-call-center.htm|publisher=tmcnet.com|accessdate=2008-02-13}}</ref> |
|||
{{quote|[PCI is a structured] blend ... [of] specificity and high-level concepts [that allows] stakeholders the opportunity and flexibility to work with Qualified Security Assessors (QSAs) to determine appropriate security controls within their environment that meet the intent of the PCI standards.<ref>{{Cite web|title=Can PCI Compliance be Harmful to Your Security Initiative?|url=https://www.brighttalk.com/webcast/288/37985/can-pci-compliance-be-harmful-to-your-security-initiative|access-date=2020-10-09|website=www.brighttalk.com|archive-date=April 18, 2021|archive-url=https://web.archive.org/web/20210418105524/https://www.brighttalk.com/webcast/288/37985/can-pci-compliance-be-harmful-to-your-security-initiative|url-status=live}}</ref>}} |
|||
To address some of these concerns, on 18 March 2011 the [[Payment Card Industry Security Standards Council]] issued a revised FAQ about call center recordings.<ref>{{cite web|title=Call Center FAQ Significantly Changes|url=http://www.destinationcrm.com/Articles/CRM-News/CRM-Featured-News/PCI-Council-Releases-Supplemental-Guidance-for-Protecting-Telephone-Based-Payment-Card-Data-74450.aspx}}</ref> The bottom line is that companies can no longer store digital recordings that include sensitive card data if those recordings can be queried. |
|||
Visa chief enterprise risk officer Ellen Richey said in 2018, "No compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach".<ref name="COMPUTERWORLD--Post-breach-PCI">{{cite web |last1=Vijayan |first1=Jaikumar |title=Post-breach criticism of PCI security standard misplaced, Visa exec says |url=https://www.computerworld.com/article/2531828/security0/post-breach-criticism-of-pci-security-standard-misplaced--visa-exec-says.html |work=Computerworld |access-date=4 September 2018 |date=March 19, 2009 |archive-date=September 4, 2018 |archive-url=https://web.archive.org/web/20180904154025/https://www.computerworld.com/article/2531828/security0/post-breach-criticism-of-pci-security-standard-misplaced--visa-exec-says.html |url-status=live }}</ref> However, a 2008 breach of [[Heartland Payment Systems#Security breach|Heartland Payment Systems]] (validated as PCI DSS-compliant) resulted in the compromising of one hundred million card numbers. Around that time, [[Hannaford Brothers Company|Hannaford Brothers]] and [[TJX Companies]] (also validated as PCI DSS-compliant) were similarly breached as a result of the allegedly-coordinated efforts of [[Albert Gonzalez]] and two unnamed Russian hackers.<ref>{{Cite thesis|title=Cyber safety: systems thinking and systems theory approach to managing cyber security risks|url=https://dspace.mit.edu/handle/1721.1/90804|publisher=Massachusetts Institute of Technology|date=2014|degree=Thesis|first=Hamid M.|last=Salim|hdl=1721.1/90804|access-date=October 8, 2020|archive-date=April 18, 2021|archive-url=https://web.archive.org/web/20210418120401/https://dspace.mit.edu/handle/1721.1/90804|url-status=live}}</ref> |
|||
Technology solutions can also completely prevent [[skimming (credit card fraud)]] by agents. At the point in the transaction where the agent needs to collect the credit card information, the call can be transferred to an [[Interactive Voice Response]] system.<ref>{{cite web|title=Restructuring the Contact Center for PCI Compliance|url=http://callcenterinfo.tmcnet.com/analysis/articles/45010-restructuring-contact-center-pci-compliance.htm|publisher=tmcnet.com|accessdate=2008-11-10}}</ref> This protects the sensitive information, but can create an awkward customer interaction. Solutions such as [[agent-assisted automation]] allow the agent to capture the credit card information without ever seeing or hearing it. The agent remains on the phone and customers enter their credit card information directly into the [[customer relationship management]] software using the keypad of their phone. Agent-assisted automation can stumble however if callers read back the digits as they enter them. [[Dual-tone multi-frequency signaling|DTMF tones]] are suppressed entirely or converted to monotones so the agent cannot recognize them and so that they cannot be recorded. Some secure payment platforms allows for the masking of the [[Dual-tone multi-frequency signaling|DTMF tones]], but are still recorded as DTMF tones by the on-site or hosted call recorders. Traditionally the only way to suppress [[Dual-tone multi-frequency signaling|DTMF tones]] is to intercept the call at the trunk using sophisticated servers and call cards to do so. This way allows for the suppression or masking of the [[Dual-tone multi-frequency signaling|DTMF tones]] to the call recorder, as well as the agent. |
|||
Assessments examine the compliance of merchants and service providers with the PCI DSS at a specific point in time, frequently using [[Sampling (statistics)|sampling]] to allow compliance to be demonstrated with representative systems and processes. It is the responsibility of the merchant and service provider to achieve, demonstrate, and maintain compliance throughout the annual validation-and-assessment cycle across all systems and processes. A breakdown in merchant and service-provider compliance with the written standard may have been responsible for the breaches; Hannaford Brothers received its PCI DSS compliance validation one day after it had been made aware of a two-month-long compromise of its internal systems. |
|||
As recently as June 2014, we saw the introduction of cloud based telephony payment solutions hit the market, but still challenges remain with such deployments as calls need to be routed to the cloud platform before they can be executed onwards to the call center. This is done so the cloud server can intercept the call to control the [[Dual-tone multi-frequency signaling|DTMF tones]] for secure masking or clamping to both the agent and cloud call recorders. If going through the network cloud, no hardware or software needs to be installed in the organization itself, though cloud solutions remain logistic and integration challenging to both service providers and merchants. |
|||
Compliance validation is required only for level 1 to 3 merchants and may be optional for Level 4, depending on the card brand and acquirer. According to Visa's compliance validation details for merchants, level-4 merchant compliance-validation requirements ("Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually") are set by the [[Acquiring bank|acquirer]]. Over 80 percent of payment-card compromises between 2005 and 2007 affected level-4 merchants, who handled 32 percent of all such transactions.{{cn|date=May 2023}} |
|||
The benefits of increasing the security around the collection of [[personally identifiable information]] goes beyond [[credit card fraud]] to include helping merchants win [[chargebacks]] due to [[friendly fraud]].<ref>{{cite news | last=Adsit | first=Dennis| url= http://www.isixsigma.com/index.php?option=com_k2&view=item&id=1854&Itemid=1&Itemid=1| title= Error-proofing strategies for managing call center fraud | publisher = iSixSigma (Ideal Media, LLC) |date= February 21, 2011}}</ref> |
|||
== See also == |
|||
==Controversies and criticisms== |
|||
According to Stephen and Theodora "Cissy" McComb, owners of Cisero’s Ristorante and Nightclub in Park City, Utah (which was fined for a breach that two forensics firms could not find evidence even occurred), "the PCI system is less a system for securing customer card data than a system for raking in profits for the card companies via fines and penalties. [http://pcidsscompliance.net/overview/fines-for-non-compliance/ Visa and MasterCard impose fines] on merchants even when there is no fraud loss at all, simply because the fines 'are profitable to them.'"<ref name="wired-pcidss-suit">{{cite news |
|||
| last = Zetter |
|||
| first = Kim |
|||
| title = Rare Legal Fight Takes On Credit Card Company Security Standards and Fines |
|||
| work = Wired |
|||
| date = January 11, 2012 |
|||
| url = http://www.wired.com/threatlevel/2012/01/pci-lawsuit/ |
|||
| accessdate = January 16, 2012 }}</ref> |
|||
Additionally, Michael Jones, CIO of Michaels' Stores, testifying before a [[Congress of the United States|U.S. Congress]] subcommittee regarding the PCI DSS, says "(...the PCI DSS requirements...) are very expensive to implement, confusing to comply with, and ultimately subjective, both in their interpretation and in their enforcement. It is often stated that there are only twelve 'Requirements' for PCI compliance. In fact there are over 220 sub-requirements; some of which can place an ''incredible burden on a retailer'' and ''many of which are subject to interpretation''."<ref name="MichaelJonesTestimony">{{cite web|last=Jones|first=Michael|title=TESTIMONY OF MICHAEL JONES BEFORE THE EMERGING THREATS, CYBERSECURITY, AND SCIENCE AND TECHNOLOGY SUBCOMMITTEE|url=http://www.homeland.house.gov/SiteDocuments/20090331142012-77196.pdf|publisher=Congress of the United States|accessdate=2010-07-19|date=2009-03-31|archiveurl=http://web.archive.org/web/20100805091805/http://homeland.house.gov/SiteDocuments/20090331142012-77196.pdf|archivedate=2009-03-31}}</ref> |
|||
In contrast, others have suggested that PCI DSS is a step toward making all businesses pay more attention to IT security, even if minimum standards are not enough to completely eradicate security problems. |
|||
"''Regulation—SOX, HIPAA, GLBA, the credit-card industry's PCI, the various disclosure laws, the European Data Protection Act, whatever—has been the best stick the industry has found to beat companies over the head with. And it works. Regulation forces companies to take security more seriously, and sells more products and services.''" - [[Bruce Schneier]]<ref>{{cite web|url=http://www.schneier.com/news-049.html|title=Bruce Schneier reflects on a decade of security trends|accessdate=2009-02-15}}</ref> |
|||
Further, per PCI Council General Manager Bob Russo's response to the National Retail Federation: PCI is a structured "blend...[of] specificity and high-level concepts" that allows "stakeholders the opportunity and flexibility to work with Qualified Security Assessors (QSAs) to determine appropriate security controls within their environment that meet the intent of the PCI standards."<ref name="RussoNRFresponse">{{cite web|last=Russo|first=Bob|title=Letter to NRF|url=http://www.pcisecuritystandards.org/pdfs/statement090615_letter_to_nrf.pdf|publisher=PCI Council|accessdate=2010-10-19|date=2009-06-15}}</ref> |
|||
===Compliance and compromises=== |
|||
According to Visa Chief Enterprise Risk Officer, Ellen Richey, "...no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach."<ref>{{cite web|url=http://www.cso.com.au/article/296278/visa_post-breach_criticism_pci_standard_misplaced |title=Visa: Post-breach criticism of PCI standard misplaced |year=2009 |first=Jaikumar |last=Vijayan}}</ref> In 2008, a breach of |
|||
[[Heartland Payment Systems#Security breach|Heartland Payment Systems]], an organisation validated as compliant with PCI DSS, resulted in the compromising of one hundred million card numbers.<ref>{{cite web |url=http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9126608 |title=Heartland data breach sparks security concerns in payment industry}}</ref> Around this same time Hannaford Brothers<ref>{{cite web|url=http://www.bankinfosecurity.com/articles.php?art_id=810|title=Hannaford Data Breach May Be Top of Iceberg|last=McGlasson|first=Linda|date=2008-04-04|publisher=BankInfo Security|accessdate=2009-01-28}}</ref> and TJX Companies, also validated as PCI DSS compliant, were similarly breached as a result of the alleged coordinated efforts of [[Albert Gonzalez|Albert "Segvec" Gonzalez]] and two unnamed Russian hackers.<ref>{{cite web|url=http://www.theregister.co.uk/2009/08/17/heartland_payment_suspect/ |title=TJX suspect indicted in Heartland, Hannaford breaches |year=2009 |first=Dan |last=Goodin}}</ref> |
|||
Assessments examine the compliance of merchants and services providers with the PCI DSS at a specific point in time and frequently utilize a sampling methodology to allow compliance to be demonstrated through representative systems and processes. It is the responsibility of the merchant and service provider to achieve, demonstrate, and maintain their compliance at all times both throughout the annual validation/assessment cycle and across all systems and processes in their entirety.<ref>{{cite web|url=http://www.bankinfosecurity.com/blogs/qsas-perspective-pci-compliance-risks-abound-p-492|title=The QSA's Perspective: PCI Compliance Risk Abounds|last=Spier|first=Peter|date=2010-03-22|publisher=BankInfo Security|accessdate=2010-10-19}}</ref> Though it could be that a breakdown in merchant and service provider compliance with the written standard was to blame for the breaches, Hannaford Brothers had received its PCI DSS compliance validation one day after it had been made aware of a two-month-long compromise of its internal systems.<ref>{{cite web|url=http://www.computerworld.com/article/2523631/technology-law-regulation/pci-security-standard-gets-ripped-at-house-hearing.html|title=PCI security standard gets ripped at House hearing|last=Vijayan|first=Jaikumar |date=2009-01-04|publisher=Computerworld Security|accessdate=2009-05-04}}</ref> The failure of this to be identified by the assessor suggests that incompetent verification of compliance undermines the security of the standard. |
|||
Other criticism lies in that compliance validation is required only for Level 1-3 merchants and may be optional for Level 4 depending on the card brand and acquirer. Visa's compliance validation details for merchants state that level 4 merchants compliance validation requirements are set by the acquirer,<ref>{{cite web |url=https://usa.visa.com/support/small-business/security-compliance.html |title=Merchant PCI DSS Compliance |publisher=Visa}}</ref> Visa level 4 merchants are "Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually". At the same time over 80% of payment card compromises between 2005 and 2007 affected Level 4 merchants; they handle 32% of transactions.<ref>{{cite web|url=http://2009.confidence.org.pl/materialy/prezentacje/adrian_pastor_confidence_2009.pdf |title=A Pentester’s Guide to Credit Card Theft Techniques |year=2009 |first=Adrian |last=Pastor}}</ref><ref>{{cite web |url=http://usa.visa.com/download/merchants/level_4_merchant_compliance_program_062807.pdf |title=Level 4 Merchant Compliance Program (slide 6)|format=PDF |date=June 28, 2007 |archiveurl=https://web.archive.org/web/20140407092109/http://usa.visa.com/download/merchants/level_4_merchant_compliance_program_062807.pdf |archivedate=June 28, 2007 |deadurl=yes}}</ref> |
|||
===Compliance as a snapshot=== |
|||
The state of being PCI DSS compliant might appear to have some temporal persistence, at least from a merchant point of view. In contrast, the PCI Standards Council General Manager Bob Russo has indicated that liabilities could change depending on the state of a given organization at the point in time when an actual breach occurs.<ref>{{cite web|url=http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=Financial&articleId=9078059|title=Q and A: Head of PCI council sees security standard as solid, despite breaches|accessdate=2009-02-15}}</ref> |
|||
Industry best practice for PCI DSS compliance is to continually improve processes to ensure on going compliance, rather than treating compliance as a point in time project.<ref>{{cite web|url=http://pcidsscompliance.net/implementing-pci-dss/best-practice-for-implementing-pci-dss-in-to-your-organization/|title=Best Practice For Implementing PCI DSS In To Your Organisation|accessdate=2015-02-15}}</ref> |
|||
==See also== |
|||
* [[Penetration test]] |
* [[Penetration test]] |
||
* [[Vulnerability management]] |
* [[Vulnerability management]] |
||
| Line 180: | Line 175: | ||
==References== |
==References== |
||
{{Reflist |
{{Reflist}} |
||
==Books on PCI DSS== |
|||
* ''A Practical Guide to the Payment Card Industry Data Security Standard (PCI DSS)'' (ISBN 9781604205855) |
|||
* ''PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance'' 4th edition (ISBN 9780128015797) |
|||
* ''PCI Compliance: The Definitive Guide'' (ISBN 9781439887400) |
|||
==External links== |
==External links== |
||
*[ |
*[https://www.pcisecuritystandards.org Official PCI Security Standards Council Site] |
||
{{PCISSC}} |
|||
*[http://pcidsscompliance.net/ PCI SSC Data Security Standards Overview] |
|||
*[http://pcidsscompliance.net/pci-dss-requirements/ PCI Quick Reference Guide v3] |
|||
*[http://www.verizonenterprise.com/pcireport/2015/ The PCI Compliance Report] |
|||
[[Category:Payment cards]] |
[[Category:Payment cards]] |
||
[[Category:E-commerce]] |
|||
[[Category:Computer law]] |
[[Category:Computer law]] |
||
[[Category:Information privacy]] |
[[Category:Information privacy]] |
||
Latest revision as of 16:32, 9 November 2024
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by the card brands. It was created to better control cardholder data and reduce credit card fraud. Validation of compliance is performed annually or quarterly with a method suited to the volume of transactions:[1]
- Self-assessment questionnaire (SAQ)
- Firm-specific Internal Security Assessor (ISA)
- External Qualified Security Assessor (QSA)
History
[edit]The major card brands had five different security programs:
- Visa's Cardholder Information Security Program
- Mastercard's Site Data Protection
- American Express's Data Security Operating Policy
- Discover's Information Security and Compliance
- JCB's Data Security Program
The intentions of each were roughly similar: to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process, and transmit cardholder data. To address interoperability problems among the existing standards, the combined effort by the principal credit-card organizations resulted in the release of version 1.0 of PCI DSS in December 2004.[citation needed] PCI DSS has been implemented and followed worldwide.
The Payment Card Industry Security Standards Council (PCI SSC) was then formed, and these companies aligned their policies to create the PCI DSS.[2] MasterCard, American Express, Visa, JCB International and Discover Financial Services established the PCI SSC in September 2006 as an administrative and governing entity which mandates the evolution and development of the PCI DSS.[3] Independent private organizations can participate in PCI development after they register. Each participating organization joins a SIG (Special Interest Group) and contributes to activities mandated by the group. The following versions of the PCI DSS have been made available:[4]
| Version | Date | Notes |
|---|---|---|
| 1.0 | December 15, 2004 | |
| 1.1 | September 2006 | clarification and minor revisions |
| 1.2 | October 2008 | enhanced clarity, improved flexibility, and addressed evolving risks and threats |
| 1.2.1 | July 2009 | minor corrections designed to create more clarity and consistency among the standards and supporting documents |
| 2.0 | October 2010 | |
| 3.0 | November 2013 | active from January 1, 2014 to June 30, 2015 |
| 3.1 | April 2015 | retired since October 31, 2016 |
| 3.2 | April 2016 | retired since December 31, 2018 |
| 3.2.1 | May 2018 | retired since March 31, 2024 |
| 4.0 | March 2022 | updated firewall terminology, expansion of Requirement 8 to implement multi-factor authentication (MFA), increased flexibility to demonstrate security, and targeted risk analyses to establish risk exposure operation and management[5] |
Requirements
[edit]The PCI DSS has twelve requirements for compliance, organized into six related groups known as control objectives:[6]
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access-control measures
- Regularly monitor and test networks
- Maintain an information security policy
Each PCI DSS version has divided these six requirement groups differently, but the twelve requirements have not changed since the inception of the standard. Each requirement and sub-requirement is divided into three sections:
- PCI DSS requirements: Define the requirement. The PCI DSS endorsement is made when the requirement is implemented.
- Testing: The processes and methodologies carried out by the assessor for the confirmation of proper implementation.
- Guidance: Explains the purpose of the requirement and the corresponding content, which can assist in its proper definition.
In version 3.2.1 of the PCI DSS, the twelve requirements are:
- Install and maintain a firewall system to protect cardholder data.
- Avoid vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data on open, public networks.
- Protect all systems against malware, and update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need to know.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
- Track and monitor access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain an information security policy which addresses information security for all personnel.
Updates and supplemental information
[edit]The PCI SSC (Payment Card Industry Security Standards Council) has released supplemental information to clarify requirements, which includes:
- Information Supplement: Requirement 11.3 Penetration Testing
- Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
- Navigating the PCI DSS - Understanding the Intent of the Requirements
- PCI DSS Wireless Guidelines[7]
- PCI DSS Applicability in an EMV Environment
- Prioritized Approach for PCI DSS
- Prioritized Approach Tool
- PCI DSS Quick Reference Guide
- PCI DSS Virtualization Guidelines
- PCI DSS Tokenization Guidelines
- PCI DSS 2.0 Risk Assessment Guidelines
- The lifecycle for Changes to the PCI DSS and PA-DSS
- Guidance for PCI DSS Scoping and Segmentation
- PCI DSS v4.0 Resource Hub[8]
Reporting levels
[edit]Companies subject to PCI DSS standards must be PCI-compliant; how they prove and report their compliance is based on their annual number of transactions and how the transactions are processed. An acquirer or payment brand may manually place an organization into a reporting level at its discretion.[9] Merchant levels are:
- Level 1 – Over six million transactions annually
- Level 2 – Between one and six million transactions
- Level 3 – Between 20,000 and one million transactions, and all e-commerce merchants
- Level 4 – Less than 20,000 transactions
Each card issuer maintains a table of compliance levels and a table for service providers.[10][11]
Compliance validation
[edit]Compliance validation involves the evaluation and confirmation that the security controls and procedures have been implemented according to the PCI DSS. Validation occurs through an annual assessment, either by an external entity, or by self-assessment.[12]
Report on Compliance
[edit]A Report on Compliance (ROC) is conducted by a PCI Qualified Security Assessor (QSA) and is intended to provide independent validation of an entity's compliance with the PCI DSS standard. A completed ROC results in two documents: a ROC Reporting Template populated with detailed explanation of the testing completed, and an Attestation of Compliance (AOC) documenting that a ROC has been completed and the overall conclusion of the ROC.
Self-Assessment Questionnaire
[edit]The PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool intended for small to medium sized merchants and service providers to assess their own PCI DSS compliance status. There are multiple types of SAQ, each with a different length depending on the entity type and payment model used. Each SAQ question has a yes-or-no answer, and any "no" response requires the entity to indicate its future implementation. As with ROCs, an attestation of compliance (AOC) based on the SAQ is also completed.
Security Assessors
[edit]The PCI Security Standards Council maintains a program to certify companies and individuals to perform assessment activities.
Qualified Security Assessor
[edit]A Qualified Security Assessor (QSA) is an individual certified by the PCI Security Standards Council to validate another entity's PCI DSS compliance. QSAs must be employed and sponsored by a QSA Company, which also must be certified by the PCI Security Standards Council.[13][14]
Internal Security Assessor
[edit]An Internal Security Assessor (ISA) is an individual who has earned a certificate from the PCI Security Standards Council for their sponsoring organization, and can conduct PCI self-assessments for their organization. The ISA program was designed to help Level 2 merchants meet Mastercard compliance validation requirements.[15] ISA certification empowers an individual to conduct an appraisal of his or her association and propose security solutions and controls for PCI DSS compliance. ISAs are in charge of cooperation and participation with QSAs.[12]
Compliance versus validation of compliance
[edit]Although the PCI DSS must be implemented by all entities which process, store or transmit cardholder data, formal validation of PCI DSS compliance is not mandatory for all entities. Visa and Mastercard require merchants and service providers to be validated according to the PCI DSS; Visa also offers a Technology Innovation Program (TIP), an alternative program which allows qualified merchants to discontinue the annual PCI DSS validation assessment. Merchants are eligible if they take alternative precautions against fraud, such as the use of EMV or point-to-point encryption.
Issuing banks are not required to undergo PCI DSS validation, although they must secure sensitive data in a PCI DSS-compliant manner. Acquiring banks must comply with PCI DSS and have their compliance validated with an audit. In a security breach, any compromised entity which was not PCI DSS-compliant at the time of the breach may be subject to additional penalties (such as fines) from card brands or acquiring banks.
Legislation in the United States
[edit]Compliance with PCI DSS is not required by federal law in the United States, but the laws of some states refer to PCI DSS directly or make equivalent provisions. Legal scholars Edward Morse and Vasant Raval have said that by enshrining PCI DSS compliance in legislation, card networks reallocated the cost of fraud from card issuers to merchants.[16] In 2007, Minnesota enacted a law prohibiting the retention of some types of payment-card data more than 48 hours after authorization of a transaction.[17][18] Nevada incorporated the standard into state law two years later, requiring compliance by merchants doing business in that state with the current PCI DSS and shielding compliant entities from liability. The Nevada law also allows merchants to avoid liability by other approved security standards.[19][16] In 2010, Washington also incorporated the standard into state law. Unlike Nevada's law, entities are not required to be PCI DSS-compliant; however, compliant entities are shielded from liability in the event of a data breach.[20][16]
Controversy and criticism
[edit]Visa and Mastercard impose fines for non-compliance. Stephen and Theodora "Cissy" McComb, owners of Cisero's Ristorante and Nightclub in Park City, Utah, were fined for a breach for which two forensics firms could not find evidence:
The McCombs assert that the PCI system is less a system for securing customer card data than a system for raking in profits for the card companies via fines and penalties. Visa and MasterCard impose fines on merchants even when there is no fraud loss at all, simply because the fines are "profitable to them," the McCombs say.[21]
Michael Jones, CIO of Michaels, testified before a U.S. Congressional subcommittee about the PCI DSS:
[The PCI DSS requirements] are very expensive to implement, confusing to comply with, and ultimately subjective, both in their interpretation and in their enforcement. It is often stated that there are only twelve "Requirements" for PCI compliance. In fact there are over 220 sub-requirements; some of which can place an incredible burden on a retailer and many of which are subject to interpretation.[22]
The PCI DSS may compel businesses pay more attention to IT security, even if minimum standards are not enough to eradicate security problems. Bruce Schneier spoke in favor of the standard:
Regulation—SOX, HIPAA, GLBA, the credit-card industry's PCI, the various disclosure laws, the European Data Protection Act, whatever—has been the best stick the industry has found to beat companies over the head with. And it works. Regulation forces companies to take security more seriously, and sells more products and services.[23]
PCI Council general manager Bob Russo responded to objections by the National Retail Federation:
[PCI is a structured] blend ... [of] specificity and high-level concepts [that allows] stakeholders the opportunity and flexibility to work with Qualified Security Assessors (QSAs) to determine appropriate security controls within their environment that meet the intent of the PCI standards.[24]
Visa chief enterprise risk officer Ellen Richey said in 2018, "No compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach".[25] However, a 2008 breach of Heartland Payment Systems (validated as PCI DSS-compliant) resulted in the compromising of one hundred million card numbers. Around that time, Hannaford Brothers and TJX Companies (also validated as PCI DSS-compliant) were similarly breached as a result of the allegedly-coordinated efforts of Albert Gonzalez and two unnamed Russian hackers.[26]
Assessments examine the compliance of merchants and service providers with the PCI DSS at a specific point in time, frequently using sampling to allow compliance to be demonstrated with representative systems and processes. It is the responsibility of the merchant and service provider to achieve, demonstrate, and maintain compliance throughout the annual validation-and-assessment cycle across all systems and processes. A breakdown in merchant and service-provider compliance with the written standard may have been responsible for the breaches; Hannaford Brothers received its PCI DSS compliance validation one day after it had been made aware of a two-month-long compromise of its internal systems.
Compliance validation is required only for level 1 to 3 merchants and may be optional for Level 4, depending on the card brand and acquirer. According to Visa's compliance validation details for merchants, level-4 merchant compliance-validation requirements ("Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually") are set by the acquirer. Over 80 percent of payment-card compromises between 2005 and 2007 affected level-4 merchants, who handled 32 percent of all such transactions.[citation needed]
See also
[edit]References
[edit]- ^ "Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2.1 May 2018" (PDF). PCI Security Standards Council, LLC. Archived (PDF) from the original on September 1, 2018. Retrieved September 4, 2018.
- ^ Liu, Jing; Xiao, Yang; Chen, Hui; Ozdemir, Suat; Dodle, Srinivas; Singh, Vikas (2010). "A Survey of Payment Card Industry Data Security Standard". IEEE Communications Surveys & Tutorials. 12 (3): 287–303. doi:10.1109/SURV.2010.031810.00083. S2CID 18117838.
- ^ "About Us". PCI Security Standards Council. Archived from the original on April 2, 2022. Retrieved December 15, 2022.
- ^ "Document Library". PCI Security Standards Council. Archived from the original on November 7, 2020. Retrieved November 12, 2020.
- ^ "Securing the Future of Payments: PCI SSC Publishes PCI Data Security Standard v4.0". PCI Security Standards Council. March 31, 2022. Archived from the original on April 9, 2022. Retrieved April 8, 2022.
- ^ "PCI DSS Quick Reference Guide" (PDF). Archived (PDF) from the original on November 12, 2020. Retrieved November 12, 2020.
- ^ "Information Supplement: PCI DSS Wireless Guidelines" (PDF). August 26, 2011. Archived (PDF) from the original on October 31, 2018. Retrieved August 8, 2018.
- ^ "PCI DSS v4.0 Resource Hub". Archived from the original on March 23, 2023. Retrieved March 24, 2023.
- ^ "Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards". www.pcisecuritystandards.org. Archived from the original on September 2, 2019. Retrieved February 21, 2007.
- ^ "Visa in Europe". Archived from the original on February 9, 2019. Retrieved February 8, 2019.
- ^ "Things Merchants Need to Know | Process Payment Data & Secured Transactions | Mastercard". www.mastercard.us. Archived from the original on February 9, 2019. Retrieved February 8, 2019.
- ^ a b PCI Security Standards Council. "Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2" (PDF). PCI Security Standards Council, LLC. Archived from the original on July 19, 2023. Retrieved September 4, 2018.
- ^ "Qualified Security Assessors". PCI Security Standards Council. Archived from the original on May 18, 2023. Retrieved May 18, 2023.
- ^ "Qualification Requirements for Qualified Security Assessors (QSA)" (PDF). PCI Security Standards Council.
- ^ "Avoid Paying For PCI Certification You Don't Need". FierceRetail. May 12, 2010. Archived from the original on May 17, 2022. Retrieved March 26, 2018.
- ^ a b c Edward A. Morse; Vasant Raval, Private Ordering in Light of the Law: Achieving Consumer Protection through Payment Card Security Measures Archived August 6, 2020, at the Wayback Machine DePaul Business & Commercial Law Journal 10, no. 2 (Winter 2012): 213-266
- ^ James T. Graves, Minnesota's PCI Law: A Small Step on the Path to a Statutory Duty of Data Security Due Care' Archived August 6, 2020, at the Wayback Machine William Mitchell Law Review 34, no. 3 (2008): 1115-1146
- ^ "MINN. STAT. § 325E.64". Archived from the original on October 10, 2019. Retrieved October 10, 2019.
- ^ "NEV. REV. STAT. § 603A.215". Archived from the original on October 1, 2019. Retrieved October 10, 2019.
- ^ "2010 Wash. Sess. Laws 1055, § 3" (PDF). Archived (PDF) from the original on July 28, 2019. Retrieved October 10, 2019.
- ^ Zetter, Kim (January 11, 2012). "Rare Legal Fight Takes on Credit Card Company Security Standards and Fines". Wired. Retrieved March 30, 2019.
- ^ "Do the Payment Card Industry Data Standards Reduce Cybercrime? A Hearing before the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the Committee on Homeland Security, House of Representatives, One Hundred Eleventh Congress, First Session, March 31, 2009". GPO. March 31, 2009. Archived from the original on March 30, 2019. Retrieved March 30, 2019.
{{cite journal}}: Cite journal requires|journal=(help) - ^ "Bruce Schneier Reflects on a Decade of Security Trends". Schneier on Security. January 15, 2008. Archived from the original on March 3, 2019. Retrieved March 8, 2019.
- ^ "Can PCI Compliance be Harmful to Your Security Initiative?". www.brighttalk.com. Archived from the original on April 18, 2021. Retrieved October 9, 2020.
- ^ Vijayan, Jaikumar (March 19, 2009). "Post-breach criticism of PCI security standard misplaced, Visa exec says". Computerworld. Archived from the original on September 4, 2018. Retrieved September 4, 2018.
- ^ Salim, Hamid M. (2014). Cyber safety: systems thinking and systems theory approach to managing cyber security risks (Thesis thesis). Massachusetts Institute of Technology. hdl:1721.1/90804. Archived from the original on April 18, 2021. Retrieved October 8, 2020.