PCI DSS FAQs

What is the PCI standards council?
The Payment Card Industry Standards Council is an institution set-up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International with the aim of enhancing payment account security. It aims to achieve this goal through the mandatory adoption of the PCI Data Security Standard (PCI DSS) - by all business that store, process and/or transmit credit/debit card data.

What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. This standard (commonly known as ‘PCI’) represents a common set of security due diligence practices that help ensure the safe handling of payment card data. Created by the 5 major card companies (American Express, JCB, MasterCard and Visa) this standard comprises 12 distinct requirements that are designed to:

  1. Build and maintain a secure network
  2. Protect (cardholder) data in transit or at rest
  3. Maintain a vulnerability management program
  4. Implement strong access control measures
  5. Regularly monitor and test your IT infrastructure
  6. Maintain an information security policy.

What are the PCI DSS requirements?
PCI DSS comprises twelve requirements, often referred to as the ‘digital dozen’. These define the need to:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor supplied defaults of system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for employees and contractors.

What are payment cards?
For PCI DSS purposes, “payment cards” encompasses all credit/debit/cash cards that are issued on any American Express, Discover, JCB, MasterCard or Visa branding.

What is payment card data?
Payment card data is information pertaining to credit/debit cards and their owner. This data is classified in 2 categories ‘Card Holder Data’ and ‘Sensitive Authentication Data’. PCI DSS imposes some storage restrictions on data elements making part of these categories.

What is cardholder data?
Cardholder data refers to all information from a credit card or debit card that is used in a transaction. Commonly used elements of cardholder data include the Primary Account Number (PAN), Cardholder Name and Expiration Date displayed on the front of the card. All these elements, and more besides, are digitally stored on the magnetic stripe at the back of the card.

What is sensitive authentication data?
Sensitive Authentication Data is security related information used to authenticate cardholders and authorize card transactions. Sensitive Authentication Data elements include Magnetic Stripe data and the Card Validation Code - the three or four digit number security code found either on the front or on the back of a card (a.k.a. CVV, CVV2)

Which elements of the cardholder data can be stored?
The PCI DSS sets out which data elements can be stored and how they should be protected. You can store the PAN, Cardholder Name and Expiration Date cardholder data elements as long as they are protected. Protection should take the form of encryption using a strong technique such as AES; alternatively the PAN must be hashed or truncated. This protection is important since the PAN together with one of the other elements is the minimum data required in certain instances for effecting a payment.

Which elements of the sensitive authentication data can be stored?
None. you cannot store Sensitive Authentication Data elements at all, even if encrypted, subsequent to the authorization of a transaction.

Who must comply with the PCI DSS?
Any entity being it a merchant or service provider that stores, processes, and/or transmits cardholder data must be PCI DSS compliant - regardless the size of the entity and volume of transactions made. However PCI DSS requirements do not only apply to electronic data. Businesses are duty bound to dispose of printed material which contains payment card details and credit cardholder data in an appropriate way. In large environments where waste management is outsourced to subcontractors such as paper-shred companies, the entities that request such services must make sure that their ‘service providers’ are PCI DSS complaint as well. 

Is there some form of distinction between merchant types?
All merchants that acquire payment card transactions are categorized in 4 distinct levels, as determined by their number of annual transactions:

  • Level 1: Merchants with more than 6 million card transactions & merchants which cardholder data has been compromised.
  • Level 2: Merchants with card transactions between 1 and 6 million
  • Level 3: Merchants with card transaction between 20,000 and 1 million
  • Level 4: All other merchants

These levels determine the validation processes that a merchant must undertake in order to achieve and maintain compliance.

Is there a distinction between the different types of service providers?
All service providers that process credit card transactions are categorized in the following 3 levels:

  • Level 1: All payment processors and payment gateways
  • Level 2: All service providers not in level 1 but with more that 1 million credit card accounts or transactions.
  • Level 3: Service providers not in Level 1, with fewer than 1 million annual credit card accounts or transactions.

These levels determine the validation processes that a service provider must undertake in order to achieve and maintain compliance.

I am a merchant. How do I become PCI DSS compliant?
Becoming PCI DSS compliant requires businesses to fulfill and demonstrate all the twelve requirements as laid out in PCI DSS. This is achieved as follows:

  • Level 1 merchants: Annual on site security audit & quarterly network scan. On site security audits are performed by a Qualified Security Assessor (QSA).
  • Level 2, 3, 4 merchants: Annual self assessment questionnaire & quarterly network scan. Self assessment questionnaires are compiled in-house by the merchant. Network scans are performed by an approved scan vendor (ASV).

I am a service provider. How do I become PCI DSS compliant?
Becoming PCI DSS compliant requires businesses to fulfill and demonstrate all the twelve requirements as laid out in PCI DSS. This is achieved as follows:

  • Level 1 & 2 service providers: Annual on site security audit & quarterly network scan. On site security audits are performed by a Qualified Security Assessor (QSA).
  • Level 3 service providers: Annual self assessment questionnaire & quarterly network scan. Self assessment questionnaires are compiled in-house by the service provider. Network scans are performed by an approved scan vendor (ASV).

What are the responsibilities of acquiring banks?
Acquirers are not currently mandated to carry out any specific PCI DSS validation or certification process. Nevertheless, these are still required to be PCI DSS compliant, therefore acquiring banks must ensure PCI DSS compliance either by conducting internal audits themselves (following the criteria provided on the self assessment questionnaire) or by outsourcing the process to Qualified Security Assessors (QSAs).

In addition acquiring banks are also responsible for ensuring:

  • PCI DSS compliance of their merchants
  • PCI DSS compliance of all service providers through which they, or their merchants, store, transmit or process payment card data.

All Acquiring Banks (merchant banks) must make sure to receive certified proof of PCI compliance from merchants with more than 20,000 transactions per year. Acquirers must ensure that the merchants and service providers validate at the appropriate level, and then obtain the compliance validation documentation from merchants with more than 20,000 transactions per year. Following receipt of compliance reports, acquirers must compile and submit a monthly status reports on compliance to the major card associations. All compliance validation documentation must be kept, and made available to the card associations upon request. Ideally acquiring banks should check that service providers send compliance validation documentation to card associations.

What is a QSA?
Qualified security assessors (QSA) are audit firms that provide professional security auditing services to corporations that need to demonstrate the fruits of their PCI DSS compliance efforts. For list of QSA, visit: https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf

What is an ASV?
An approved scan vendor (ASV) is a vendor that provides network vulnerability and security scanning services to businesses that want to achieve PCI DSS compliance.  For a list of ASV, visit: https://www.pcisecuritystandards.org/pdfs/asv_report.html

What is a self assessment questionnaire?
A self assessment questionnaire is a reporting requirement of PCI DSS compliance for merchants and service providers. It is completed in-house, without the need to contract 3rd parties. Businesses must fill in this security related questionnaire that queries the current and past state of network security.

By when do I need to become compliant?
Various deadlines have been set which differ between card associations and regions. Amongst important deadlines, Visa USA has set:

  • March 31, 2007 – The deadline by which level 1 and 2 merchants should demonstrate that they are not storing full track data, CVV2 or PIN data.
  • September 30, 2007 – The date by which all level 1 merchants are expected to be fully PCI DSS compliant.
  • December 31, 2007 – The date by which all level 2 merchants are expected to be fully PCI DSS compliant.

Visa Europe has set a deadline for June 30, 2007 by which acquirers are expected to confirm that their merchants are fully PCI DSS compliant.

Who should I ask if I have doubts or require clarifications?
If you are in doubt on any of the issues related to PCI DSS your primary source of information is your merchant bank.

How long does it take to become compliant?
There is no such thing as a standard compliance timeframe since this depends on the size of each and every particular network, its complexity and security level.

What happens if I am not compliant?
Non compliance with PCI DSS has its consequences. Businesses face fines up to $500,000 and expensive litigation costs. From an operational point of view, level 2, 3 or 4 merchants and service providers that have network security breaches, can have their level escalated to level 1. This has an adverse impact in terms of costs since compliance in the level 1 tier is more demanding. In addition, non compliance impacts brand reputation and exposes corporations to extensive negative publicity that undermines consumer confidence.

What are the benefits of implementing PCI DSS?
PCI DSS is a binding collection of rules that promote IT security processes. PCI DSS aims to reduce financial fraud through heightened network security capabilities of whoever processes payment card information. There are many benefits of PCI DSS compliance. The most fundamental ones for an organization are:

  • Protection of customers’ personal data
  • Increased customer confidence through a higher level of data security
  • Increased protection against financial losses and remediation costs that arise from security breaches
  • Maintain customer trust, and safeguard reputation
  • Benchmark and assess the security mechanisms of systems that store, process and/or transmit payment cardholser data.

How long does it take to move back to my original level after a breach that moved me to level 1?
Moving back to level 1 takes two years, with the first year allocated to fix any procedural errors that enabled the security breach. The second year is a buffering period to ensure that no new security breaches have occurred.

Are there any online sources I can refer to?
PCI Security Standards Council
https://www.pcisecuritystandards.org

Supporting Documents
https://www.pcisecuritystandards.org/tech/supporting_documents.htm

PCI DSS queries
http://pcianswers.com

Comprehensive list of PCI DSS resources
http://pcianswers.com/resources/

GFI EventsManager and GFI LANguard N.S.S. checklists
http://www.gfi.com/security/pci.htm

Retour vers le haut

Logo partenaires MS