menu

PCI-DSS Requirements

Andreas Lalos

PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data.

All the requirements of the standard are grouped in the following 6 categories, which are analyzed in the following table:

GOALS

REQUIREMENTS

1.

Build and Maintain a Secure Network and Systems

1.

Install and maintain a firewall configuration to protect cardholder data

2.

Do not use vendor-supplied defaults for system passwords and other security parameters

2.

Protect Cardholder Data

3.

Protect stored cardholder data

4.

Encrypt transmission of cardholder data across open, public networks

3.

Maintain a Vulnerability Management Program

5.

Protect all systems against malware and regularly update anti- virus software or programs

6.

6.  Develop and maintain secure systems and applications

4.

Implement Strong Access Control Measures

7.

 Restrict access to cardholder data by business need to know

8.

Identify and authenticate access to system components

9.

Restrict physical access to cardholder data

5.

Regularly Monitor and Test Networks

10.

Track and monitor all access to network resources and cardholder data

11.

 Regularly test security systems and processes

6.

Maintain an Information Security Policy

12.

Maintain a policy that addresses information security for all personnel

It appears that the standard approaches holistically the security of information both at the network and operational security level and at the management level.

With regard to the creation and maintenance of a secure network, frequent network control and monitoring, maintenance of a weakness management program to protect Credit Card Data when stored, transferred or processed, the standard focuses on the presence and implementation of solutions firewall, measures to protect wireless networks and encrypt data.

Requirements 1.1.3, 1.3.8, 1.3.9 and 6.6 cover the need for security for networks with different confidence levels. More specifically, the standard requires:

  • Installing firewalls between the home network and the internet as well as between the internal network and each DMZ, 

  • Installing perimeter firewalls between each wireless connection and environment that are transferred / processed and stored data of credit cardholders,

  • Installing personal firewalls on any personal computer of employees who have access to the internet as well as the corporate network.

  •  Installing an application-layer firewall in front of any web-facing application.

Through the requirements 2.11, 4.1.1 and 11.1, the standard identifies the security weaknesses of wireless networks and requires their optimal protection. More specifically, since October 2008, PCI DSS requires activation of WPA or WPA2 instead of WEP. In addition, frequent audits are required for any violation and unauthorized access to the corporate network over wireless access. Also, requirement 11.3 specifies the periodic performance of penetration tests at both network and application level.

Through the requirements 3.4, 3.5, 3.6 and 4.2, the template sets the Primary Account Number-PAN encryption (which is considered the minimum credit card holder to be transported, processed or stored) as critical either when it is stored in some database, or when it is transported via email. Enabling appropriate processes requires the secure encryption and decryption keys to be managed (depending on the cryptography method to be selected).

With regard to the management approach to information security, the standard focuses on creating an Information Security Policy. Through a whole set of requirements, 12.1 to 12.10, the standard identifies the need to create, maintain, and notify personnel, a security policy that addresses the information security issues required by the standard and results from the periodic Risk Assessment ) of the data transfer, processing, or storage environment. It also requires that procedures be defined to define and manage the relationship of the Organization or the Company with Service Providers.

Still, through this unity, special attention is given to staff briefing and education. In particular, requirements 12.6 and 12.9.4 require the adoption of an information program on the importance of the security of credit card data as well as the provision of training to staff responsible for responding to security incidents.

The above requirements are the set of PCI DSS requirements for a secure storage, transmission and processing of credit card data. For the above set, achieving compliance is completed in 3 iterative steps:

  • Assess: includes the Hazard Assessment Process, in which the goods, namely information resources and business processes, are valued on the management of credit card data. The valuation calculates the weaknesses of the goods which, if exploited, could pose a threat to data security.

  • Remediate: includes the procedures for correcting and improving the weaknesses observed in the Hazard Assessment.

  • Report : includes the writing of evidence confirming that corrective and improvement procedures are being carried out, and their submission to certification bodies.

Following the above 3 steps, continuous compliance with PCI DSS requirements is achieved, but a security gateway is built around credit card data. This is achieved by repeatedly repeating the 3 steps as each time the risk assessment process is repeated, resulting in the continuous improvement of information security measures.