The Payment Card Industry Data Security Standard (PCI DSS) is a security standard for information that protects against credit card fraud and many other security risks and holes. Providers of credit and debit cards, such as MasterCard, Visa, etc., use the security controls and methods outlined in PCI DSS.
PCI DSS is also used by the entities that store, handle, and send card information. The latest form of PCI DSS, 3.2, came out in April 2016.
Origin of PCI DSS
Due to the rise in credit card fraud and scams from 1990 to 2000, companies like American Express, MasterCard, and Visa each started their own research and development to build standards for payment processing systems. In 2001, Visa was the first company to make the "Cardholder Information Security Programme" standard. The other companies also made and used their own security standards that were unique to them. These individual company level efforts resulted in interoperability issues and problems raised by merchants and POS terminals because they had to assure compliance with every company-specific standard. To address the interoperability and compliance issues, the leading credit card companies formed a joint venture and released PCI DSS version 1.0 in December 2004. PCI DSS is now a globally recognized standard that all entities involved in payment processing are required to comply with.
Formation of PCI SSC
PCI SSC (Payment Card Industry Security Standards Council) is a governing body established in September 2006 as a joint venture by MasterCard, American Express, Visa, JCB International, and Discover Financial Services. It holds the mandate of managing the development of PCI and the alignment of policies to the PCI DSS. The development track is also available to other organizations by registering them as participating organizations. Each participating organization belongs to a particular SIG (Special Interest Group) and participates in the development of the mandate of that particular SIG. All the PCI DSS versions after 2006 were released by the PCI SSC.
PCI DSS History
All the versions and their corresponding release dates are as follows:
|
Release Version |
Release Date |
|
1.0 |
December 15, 2004 |
|
1.1 |
September 2006 |
|
1.2 |
October 2008 |
|
1.2.1 |
July 2009 |
|
2.0 |
October 2010 |
|
3.0 |
November 2013 |
|
3.1 |
April 2015 |
|
3.2 |
April 2016 |
PCI DSS Requirements
PCI DSS requirements are applicable to all the system entities and components that have involvement in the CDE (Cardholder Data Environment), for example, users, process workflows, and network/system devices that store, process, and transmit cardholder or authentication data. The PCI Data Security Standard stipulates twelve requirements for compliance, which include further sub-requirements.
|
Category |
Requirements |
|
Build and Maintain a Secure Network and Systems. |
1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. |
|
Protect Cardholder Data. |
3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks. |
|
Maintain a Vulnerability Management Program. |
5. Protect all systems against malware and regularly update anti-virus .software or programs. 6. Develop and maintain secure systems and applications |
|
Implement Strong Access Control Measures. |
7. Restrict access to cardholder data by business need to know. 8. Identify and authenticate access to system components. 9. Restrict physical access to cardholder data. |
|
Regularly Monitor and Test Networks. |
10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. |
|
Maintain an Information Security Policy. |
12. Maintain a policy that addresses information security for all personnel. |
Each requirement and sub-requirement are further defined into 3 parts.
- Requirement Statement/Description: It actually describes the requirement. PCI DSS compliance is validated against these requirements.
- Testing Procedures: It defines the methods to be followed by the evaluator to validate that the requirement has been implemented.
- Guidance: It illustrates the main fundamental objective of the requirement. It may also contain the helping material in contribution to the proper thoughtfulness of the requirement.
Updates and Supplemental Information
A lot of information supplements have been published by for the explanation of several requirements. These documents include the following:
- PCI DSS Applicability in an EMV Environment
- Penetration Testing Guide
- Prioritized Approach for PCI DSS
- Prioritized Approach Tool
- PCI DSS Quick Reference Guide
- PCI DSS Virtualization Guidelines
- PCI DSS Tokenization Guidelines
- PCI DSS 2.0 Risk Assessment Guidelines
- The lifecycle for Changes to the PCI DSS and PA-DSS
- Guidance for PCI DSS Scoping and Segmentation
PCI DSS & Crypto Key Management
Key management plays a vital role in ensuring the security mechanisms of cryptographic protocols/applications.
With the increase in deployment and evolution of cryptographic mechanisms implemented in information systems, key management consistently emerges as a significant challenge.
PCI DSS describes the requirements about cryptographic mechanisms as “Strong Cryptography” for all the key and certificate management.
Appropriate management of cryptographic keys is essential for all the phases of key life cycle starting from the generation, secure storage, secure distribution, backup, and up to destruction.
References
1. Selected articles on Key Management (2012-today) by Ashiq JA, Chris Allen, Guillaume Forget, James H. Reinholm, Martin Eriksen and more
2. Selected articles on PCI DSS (2012-today) by Ashiq JA, Asim Mehmood, Guillaume Forget, James H. Reinholm, Martin Eriksen, Stefan Hansen and more
3. EMV Key Management – Explained (2015) by Cryptomathic
More Stories
