What is PCI DSS?

  • The PCI DSS (payment card industry data security standards) was established in 2004 by major card brands (i.e., Visa, MasterCard, American Express, Discover Financial Services, and JCB International).
  • The standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents.
  • Applies to any entity that stores, processes and/or transmits CHD.

PCI DSS Version History

Version Release Date
1.0 Dec 2004
1.1 Sep 2006
1.2 Oct 2008
1.2.1 Aug 2009
2.0 Oct 2010
3.0 Nov 2013
3.1 Apr 2015
3.2 Apr 2016

PCI DSS 3.2 Imp. Dates

  • Version 3.2 was released on Apr, 2016.
  • Service providers and merchants can start applying requirement for version 3.2 from May 1,2016.
  • 3.1 was valid until Oct 31, 2016.
  • 3.2 must be applied by service providers and merchants.
  • Controls marked as new requirements becomes mandatory by Feb 1,2018.

In scope vs. out of scope

  • These are terminology to determine whether my company needs to be PCI DSS compliance or not.
  • If your people, process, tools or application are processing, storing, transmitting card holder’s data then you are in scope for PCI DSS compliance.
  • If you are using third party service provider to do the same you are out of scope for PCI DSS compliance.

PCI DSS is standard not a rule

  • This is a very important thing to understand when we are trying to certified our company as a PCI DSS compliance.
  • PCI DSS itself is a non government organization and all the 12 requirements they are giving us are treated as best practice or standards.
  • Even after being PCI DSS compliance we cannot guaranteed that card holder’s data is 100% secure.
  • However, if you follow all 12 requirements given by PCI DSS, risk of being hacked can be minimized up to 71%.

PCI DSS Six Goals

  • Build and Maintain a Secure Network.
  • Protect Card Holder Data.
  • Maintain a Vulnerability Management Program.
  • Implement Strong Access Control Measures.
  • Regularly Monitor and Test Networks.
  • Maintain an Information Security Policy.

Build and Maintain a Secure Network (req. 1 & 2)

  • PROTECT YOUR SYSTEM WITH FIREWALLS
    • Install a hardware and software firewall.
    • Tweak firewall configuration for your system.
    • Have strict firewall rules.
  • USE ADEQUATE CONFIGURATION STANDARDS
    • Avoid using default passwords.
    • Harden your systems.
    • Implement system configuration management.

Protect Card Holder Data (req. 3 & 4)

  • PROTECT YOUR SYSTEM WITH FIREWALLS
    • Encrypt stored card data.
    • Find where card data is held.
    • Craft your card flow diagram.
  • SECURE DATA OVER OPEN AND PUBLIC NETWORKS
    • Know where data is transmitted and received.
    • Encrypt all transmitted cardholder data.
    • Stop using SSL and early TLS where possible.

Maintain a Vulnerability Management Program (req. 5 & 6)

  • PROTECT SYSTEMS WITH ANTIVIRUS
    • Create a vulnerability management plan.
    • Regularly update antivirus.
    • Maintain an up-to-date malware program.
  • UPDATE YOUR SYSTEMS
    • Consistently update your systems.
    • Patch all critical systems and software.
    • Establish software development processes.

Implement Strong Access Control Measures (req. 7, 8 & 9)

  • RESTRICT ACCESS
    • Restrict access to cardholder data.
    • Document who has access to the card data environment.
    • Establish an access control system.
  • USE UNIQUE ID CREDENTIALS
    • Use unique ID credentials for every employee.
    • Change ID credentials.
    • Configure multi-factor authentication.
  • ENSURE PHYSICAL SECURITY
    • Control physical access at your workplace.
    • Keep track of POS terminals.
    • Train your employees often.

Regularly Monitor and Test Networks (req. 10 & 11)

  • IMPLEMENT LOGGING AND LOG MONITORING
    • Implement logging and alerting.
    • Establish log management.
    • Create log management system rules.
  • CONDUCT VULNERABILITY SCANS AND PENETRATION TESTING
    • Know your environment.
    • Run vulnerability scans quarterly.
    • Conduct a penetration test.

Maintain an Information Security Policy (req. 12)

  • START DOCUMENTATION AND RISK ASSESSMENTS
    • Document everything.
    • Implement a risk assessment process.
    • Create an incident response plan.

Data Breach fines

Total Possible Cost $50,000 - $773,000+
Merchant processor compromise fine: $5,000 – $50,000
Card brand compromise fees: $5,000 – $500,000
Forensic investigation: $12,000 – $100,000
Onsite QSA assessments following the breach: $20,000 – $100,000
Free credit monitoring for affected individuals: $10 – $30/card
Card re-issuance penalties: $3 – $10 per card
Security updates: $15,000+
Lawyer fees: $5,000+
Breach notification costs: $1,000+
Technology repairs: $2,000+

Trivia - 1

  • With the latest development of GDPR, any company that does business in EU countries will be fine for failing to protect personal information, which includes payment card data, is up to €20 million (about £17.8 million) or 4% of annual global turnover – whichever is greater.