In a previous article, we discussed the subject of penetration testing, its issues and its indications. One of these guidelines is the PCI-DSS compliance check, which includes a requirement for vulnerability testing every 90 days. But what exactly is PCI-DSS? Does it apply to your business? What are the requirements, and what is at stake in this standard?
What Exactly Is PCI-DSS?The Payment Card Industry – Data Security Standard is a standard that applies to all actors in the payment chain: anyone who processes, transmits and stores payment card information is concerned. Initially founded by the 5 major card companies, this standard is now managed by an independent agency, the PCI Security Standards Council (PCI-SSC). The standard defines two categories:
- The merchant: any company or individual that accepts card payments. It is to the merchant that the customer gives his information as a cardholder, and represents the first link in the electronic payment chain;
- The Service Provider, or hosting provider: any company that stores, processes, or transmits payment card information on behalf of another company. These service providers can be thought of as intermediaries that provide various payment services to merchants. Some companies are considered to be both merchants and service providers: a telecommunications company, for example, receives card information from a customer for payment, and at the same time enables its transmission. They are therefore considered both a merchant and a service provider.
The Challenges of PCI-DSSThe PCI-DSS standards exist to protect not only end users, but also all links in the chain: preventing bank data theft through a set of restrictive but comprehensive standards strengthens the protection of users, intermediaries, banks and merchants. It is also a standard that has become mandatory to follow in most cases, to deal with Visa, Mastercard, JCB, Discover, American Express, and virtually all credit card issuers. This is why a comprehensive data security policy must be considered, and also maintained, through regular vulnerability testing and penetration testing.
PCI-DSS RequirementsThe PCI-DSS consists of 12 sections, each of which is intended to contribute to the security of cardholder data. These requirements can be summarised by the following objectives:
|Intended Goal||PCI-DSS Requirement|
Build and Maintain a Secure Network and Systems
1. Installing and maintaining a firewall configuration to protect cardholder data.
2. Changing vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
3. Protecting stored cardholder data.
4. Encrypting transmission of cardholder data over open, public networks.
Maintain a Vulnerability Management Program
5. Protecting all systems against malware and performing regular updates of anti-virus software.
6. Developing and maintaining secure systems and applications.
Implement Strong Access Control Measures
7. Restricting access to cardholder data to only authorized personnel.
8. Identifying and authenticating access to system components.
9. Restricting physical access to cardholder data.
Regularly Monitor and Test Networks
10. Tracking and monitoring all access to cardholder data and network resources.
11. Testing security systems and processes regularly.
Maintain an Information Security Policy
12. Maintaining an information security policy for all personnel.
Compliance AssessmentTo certify the compliance of an information system with the PCI-DSS standards, an external entity, called Qualified Security Assessors (QSA), will either produce a Report of Compliance (ROC) or assist the company in completing a Self-Assessment Questionnaire (SAQ). There are 4 levels of PCI-DSS compliance for merchants, depending on the volume of transactions they process annually:
|Merchant Level||E-commerce Transactions|
Volume (Per Year)
1. Report of Compliance + Certification of Compliance (ROC + AOC) following an annual audit done by a QSA
2. Vulnerability scan, including a comprehensive penetration test
|2||1 to 6 million|
2. Vulnerability scan
3. PCI-DSS Certification of Compliance (AOC)
|3||20,000 to 1 million|
|4||Fewer than 20,000|