PCI DSS: Home
The PCI DSS v4.0 (Mar 2022) is an overwhelming document of 360 pages. In this blog series, we will break it down into bite-sized chunks and try to understand what it is, why it matters and how to become PCI DSS compliant.
- PCI DSS: Home
History
Source: wikipedia.org
The major card brands had five different security programs:
- Visa’s Cardholder Information Security Program
- Mastercard’s Site Data Protection
- American Express’s Data Security Operating Policy
- Discover’s Information Security and Compliance
- JCB’s Data Security Program
The intentions of each were roughly similar: to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process, and transmit cardholder data. To address interoperability problems among the existing standards, the combined effort by the principal credit-card organizations resulted in the release of version 1.0 of PCI DSS in December 2004. PCI DSS has been implemented and followed worldwide. The latest version is PCI DSS v4.0 which was released in March 2022.
Non-Compliance
The PCI DSS is a standard rather than a law, and it’s enforced through contracts between merchants, acquiring banks that process payment card transactions and the payment brands.
As a result, the way penalties work differs from many other data protection regulations.
NOTE: The standard doesn’t simply levy a one-off fine for non-compliance. Instead, organizations can be penalized between $5,000 and $100,000 a month until they achieve compliance.
Important Terms, Abbreviations And Acronyms
Account Data
Account data consists of cardholder data and/or sensitive authentication data.Cardholder Data (CHD)
At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.Sensitive Authentication Data (SAD)
Security-related information used to authenticate cardholders and/or authorize payment card transactions. This information includes, but is not limited to, card validation verification codes/values, full track data (from magnetic stripe or equivalent on a chip), PINs, and PIN blocks.Cardholder Data Environment (CDE)
The CDE is comprised of:- The system components, people, and processes that store, process, or transmit cardholder data or sensitive authentication data.
- System components that may not store, process, or transmit CHD/SAD but have unrestricted connectivity to system components that store, process, or transmit CHD/SAD.
PCI DSS Breakdown
Build And Maintain A Secure Network And Systems
- Requirement 1: Install and maintain network security controls
- Requirement 2: Apply secure configurations to all system components
Protect Account Data
- Requirement 3: Protect stored account data
- Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks
Maintain A Vulnerability Management Program
- Requirement 5: Protect all systems and networks from malicious software
- Requirement 6: Develop and maintain secure systems and software
Implement Strong Access Control Measures
- Requirement 7: Restrict access to system components and cardholder data by business need to know
- Requirement 8: Identify users and authenticate access to system components
- Requirement 9: Restrict physical access to cardholder data
Regularly Monitor And Test Networks
- Requirement 10: Log and monitor all access to system components and cardholder data
- Requirement 11: Test security of systems and networks regularly
Maintain An Information Security Policy
Additional Requirements
- Multi-tenant service providers
- Entities using SSL/early TLS for card-present POS POI terminal connections
- Designated entities supplemental validation (DESV)