Payment Card Industry Data Security Standard (PCI DSS) is an information security standard to protect against credit card fraud and numerous additional security threats & vulnerabilities. Credit/Debit card providers, such as MasterCard and Visa etc., implement the mechanisms and security controls specified and suggested in PCI DSS.
The entities that store, process and transmit the card information also implement PCI DSS. PCI DSS latest version 3.2 was released in April 2016.
Origin of PCI DSS
Due to the increase in credit card fraud and scams during 1990 to 2000, different companies such as American Express, MasterCard, and Visa individually started research and development at their ends to create standards for payment processing systems. Visa took the honor to introduce the first “Cardholder Information Security Program” standard in 2001. The other companies also created and implemented their company-specific security standards. These individual company level efforts resulted in interoperability issues and problems raised by the merchants and POS terminals because they had to assure compliance with every company-specific standard. To address the interoperability and compliance issues, the leading credit card companies made a joint venture and released PCI DSS version 1.0 in December 2004. PCI DSS is now a globally recognized standard, which all entities involved in payment processing have a requirement to comply with.
Formation of PCI SSC
PCI SSC (Payment Card Industry Security Standards Council) is a governing body established in September 2006 as a joint venture by MasterCard, American Express, Visa, JCB International and Discover Financial Services. It holds the mandate of managing the development in PCI and alignment of policies to PCI DSS. The development track is also available to other organizations by registering them as participating organizations. Each participating organization belongs to a particular SIG (Special Interest Group) and participates in the development regarding the mandate of that particular SIG. All the PCI DSS versions after 2006 were released by PCI SSC.
PCI DSS History
All the versions and their corresponding release dates are as follows:
|
Release Version |
Release Date |
|
1.0 |
December 15, 2004 |
|
1.1 |
September 2006 |
|
1.2 |
October 2008 |
|
1.2.1 |
July 2009 |
|
2.0 |
October 2010 |
|
3.0 |
November 2013 |
|
3.1 |
April 2015 |
|
3.2 |
April 2016 |
PCI DSS Requirements
PCI DSS requirements are applicable to all the system entities and components which have involvement in CDE (Cardholder Data Environment) for example users, process workflows, network/system devices that store, process and transmit cardholder or authentication data. PCI Data Security Standard stipulates twelve requirements for compliance which includes further sub-requirements.
|
Category |
Requirements |
|
Build and Maintain a Secure Network and Systems. |
1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. |
|
Protect Cardholder Data. |
3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks. |
|
Maintain a Vulnerability Management Program. |
5. Protect all systems against malware and regularly update anti-virus .software or programs. 6. Develop and maintain secure systems and applications |
|
Implement Strong Access Control Measures. |
7. Restrict access to cardholder data by business need to know. 8. Identify and authenticate access to system components. 9. Restrict physical access to cardholder data. |
|
Regularly Monitor and Test Networks. |
10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. |
|
Maintain an Information Security Policy. |
12. Maintain a policy that addresses information security for all personnel. |
Each requirement and sub-requirement are further defined into 3 parts.
- Requirement Statement/Description: It actually describes the requirement. PCI DSS compliance is validated against these requirements.
- Testing Procedures: It defines the methods to be followed by the evaluator to validate that the requirement has been implemented.
- Guidance: It illustrates the main fundamental objective of the requirement. It may also contain the helping material in contribution to the proper thoughtfulness of the requirement.
Updates and Supplemental Information
A lot of information supplements have been published by for the explanation of several requirements. These documents include the following:
- PCI DSS Applicability in an EMV Environment
- Penetration Testing Guide
- Prioritized Approach for PCI DSS
- Prioritized Approach Tool
- PCI DSS Quick Reference Guide
- PCI DSS Virtualization Guidelines
- PCI DSS Tokenization Guidelines
- PCI DSS 2.0 Risk Assessment Guidelines
- The lifecycle for Changes to the PCI DSS and PA-DSS
- Guidance for PCI DSS Scoping and Segmentation
PCI DSS & Crypto Key Management
Key management plays a vital role in ensuring the security mechanisms of cryptographic protocols/applications.
With the increase in deployment and evolution of cryptographic mechanisms implemented in information systems, key management consistently emerges as a significant challenge.
PCI DSS describes the requirements about cryptographic mechanisms as “Strong Cryptography” for all the key and certificate management.
Appropriate management of cryptographic keys is essential for all the phases of key life cycle starting from the generation, secure storage, secure distribution, backup, and up to destruction.
References
1. Selected articles on Key Management (2012-today) by Ashiq JA, Chris Allen, Guillaume Forget, James H. Reinholm, Martin Eriksen and more
2. Selected articles on PCI DSS (2012-today) by Ashiq JA, Asim Mehmood, Guillaume Forget, James H. Reinholm, Martin Eriksen, Stefan Hansen and more
3. EMV Key Management – Explained (2015) by Cryptomathic
More Stories
