What is PCI-DSS

PCI-DSS is Payment Card Industry Data Security Standards. It is self-explanatory as the name suggests, this standards applies to payment card industry.

Why PCI-DSS regulation required?

Financial transactions are subject to risks, whether it is cash or card. For cash transactions, physical security is crucial. For card transactions, data security comes to the fore and physical security goes to the back. The payment card can be credit or Debit. If the payment card's financial and personal data is secured, it will prevent fruadulent transactions.

If the payment card data is not secure:

  • The customer may lose the money.
  • Merchants and financial institutions will lose credibility, in turn business.
  • It will attract penal actions and fines.

So, the payment card industry took the self initiative to regulate the card data transaction with data security standards.

Major players of the card data industry Visa, Master Card, American Express, Discover, and JCB formed an alliance in 2006 to create a security standards council for payment card industry. The council formulated the security standards for all the data involved in the payment card transaction. The PCI-DSS compliance applies to all the entities involved in the payment card transaction. The regulation covers small, medium, and big merchants, banks and financial institutions involved in card transactions are governed by PCI-DSS. For software application developers, it is PCI PA-DSS. For POS vendors and hardware manufactures, it is PCI-PTS. Out of these, PCI-DSS is important because it governs large number of entities. These entities are involved in millions of card transactions.

What payment card data to secure?

The data thieves look for the card holder and authentication data.

Card holder data

  • Primary Account Number (PAN)
  • Cardholder Name
  • Expiration Date
  • Service Code

Sensitive authentication data

  • Full track data (magnetic-stripe data or equivalent on a chip)
  • CAV2/CVC2/CVV2/CID
  • PINs/PIN blocks

All those involved in the payment card transaction should ensure the data is secured. To secure the data, PCI-DSS security council has come up with a set of requirements to fulfill.

What is covered in PCI-DSS

The PCI-DSS has 12 requirements and testing procedures covering the technical and operational components.

What to achieve How to achieve
Build and maintain a secure network
  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect cardholder data
  1. Protect stored cardholder data.
  2. Encrypt transmission of cardholder data across open, public networks.
Maintain a vulnerability management program
  1. Use and regularly update anti-virus software or programs.
  2. Develop and maintain secure systems and applications.

Implement strong access control measures
  1. Restrict access to cardholder data by business need-to-know.
  2. Assign a unique ID to each person with computer access.
  3. Restrict physical access to cardholder data.
Regularly monitor and test networks
  1. Track and monitor all access to network resources and cardholder data.
  2. Regularly test the security systems and processes.
Maintain an information security policy
  1. Maintain a policy that addresses information security for employees and contractors.

 

How to get compliant with PCI-DSS regulation

It's a three step process to secure the card holder data for any organization.

They are:

  • Assess

In this step, identify card holder data, take inventory of IT assets & payment card business process, and analyze for vulnerability.
To assess, there are qualified security assessors. Choose an assessor available nearby. For small merchants and service providers Self Assessment Questionaire (SAQ) is sufficient.

  • Remediate

Fix the vulnerability and do not store card holder data unless it is absolutely necessary.
Ensure that the compliance is monitored continuously. Periodic monitoring may have gapping holes for data theft.

  • Report

Compile and submit the compliance report to the enforcing card brand or bank.
PCI-DSS security council does not enforce compliance. It is only the card brands or the bank.

How Firewall Analyzer makes your PCI-DSS compliance easier

Firewall Analyzer continuously monitors the network firewall for PCI-DSS compliance.  The compliance report can be pulled any time to meet the audit requirements. You can also schedule reports and record them for future references. Refer the PCI-DSS compliance requirements covered by Firewall Analyzer.

 

 

 

 

 

A single platter for comprehensive Network Security Device Management