Getting Started with the PCI Data Security Standard
PCI security for merchants and payment card processors is the vital result of applying the information security best practices in the Payment Card Industry Data Security Standard (PCI DSS). The standard includes 12 requirements for any business that stores, processes or transmits payment cardholder data. These requirements specify the framework for a secure payments environment; for purposes of PCI compliance, their essence is three steps: Assess, Remediate and Report.
To Assess is to take an inventory of your IT assets and business processes for payment card processing and analyze them for vulnerabilities that could expose cardholder data. To Remediate is the process of fixing those vulnerabilities. To Report entails compiling records required by PCI DSS to validate remediation and submitting compliance reports to the acquiring bank and global payment brands you do business with. Carrying out these three steps is an ongoing process for continuous compliance with the PCI DSS requirements. These steps also enable vigilant assurance of payment card data safety.
PCI Data Security Standard Requirements
PCI DSS is the global data security standard that any business of any size must adhere to in order to accept payment cards, and to store, process, and/or transmit cardholder data. It presents common-sense steps that mirror best security practices.
Step 1 – Assess
The primary goal of assessment is to identify all technology and process vulnerabilities that pose risks to the security of cardholder data that is transmitted, processed or stored by your business. Study the Payment Card Industry Data Security Standard (PCI DSS)PCI DSS for detailed requirements. It describes IT infrastructure and processes that access the payment account infrastructure. Determine how cardholder data flows from beginning to end of the transaction process – including PCs and laptops that access critical systems, storage mechanisms for paper receipts, etc. Check the versions of personal identification number (PIN) entry terminals and software applications used for payment card transactions and processing to ensure they have passed PCI compliance validation.
Note: your liability for PCI compliance also extends to third parties involved with your process flow, so you must also confirm that they are compliant. Comprehensive assessment is a vital part of understanding what elements may be vulnerable to security exploits and where to direct remediation.
Self-Assessment Questionnaire (SAQ). The SAQ is a validation tool for merchants and service providers who are not required to do on-site assessments for PCI DSS compliance. Four SAQs are specified for various situations.
Qualified Assessors. The Council provides programs for two kinds of independent experts to help with your PCI assessment: Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). QSAs have trained personnel and processes to assess and prove compliance with the PCI DSS. ASVs provide commercial software tools to perform vulnerability scans for your systems. Click here for details and links to qualified assessors.
Step 2 – Remediate
Remediation is the process of fixing vulnerabilities – including technical flaws in software code or unsafe practices in how an organization processes or stores cardholder data. Steps include:
- Scanning your network with software tools that analyze infrastructure and spot known vulnerabilities
- Review and remediation of vulnerabilities found in on-site assessment (if applicable) or through the Self-Assessment Questionnaire process
- Classifying and ranking the vulnerabilities to help prioritize the order of remediation, from most serious to least serious
- Applying patches, fixes, workarounds, and changes to unsafe processes and workflow
- Re-scanning to verify that remediation actually occurred
Step 3 – Report
Regular reports are required for PCI compliance; these are submitted to the acquiring bank and global payment brands that you do business with. The PCI SSC is not responsible for PCI compliance. All merchants and processors must submit a quarterly scan report, which must be completed by a PCI SSC-approved ASV. Businesses with large flows must do an annual on-site assessment completed by a PCI SSC-approved QSA and submit the findings to each acquirer. Businesses with small transaction flows may be required to submit an annual Attestation within the Self-Assessment Questionnaire. For more details, talk to your acquirer.