What is PCI DSS?

Q: Where did PCI DSS come from? What are its goals? And what do the acronyms CISP, SDP, DSOP and DISC stand for?
A: The PCI DSS is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) to help facilitate the adoption of consistent data security measures globally. The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures intended to proactively protect customer account data. The card brands each have their own programs that help merchants enforce compliance with the PCI DSS. The PCI Security Standards Council was founded in 2006 to oversee the standard itself, but each of the card brands issues fines and fees and schedules deadlines through their own enforcement programs.
Q: Are all merchants and service providers required to comply with the PCI DSS?
A: Yes. All entities (merchants or service providers) that store, process or transmit cardholder data must comply with the PCI DSS. The requirements apply to all acceptance channels, including retail (brick-and-mortar), mail/telephone order (MOTO) and e-commerce. Validation requirements vary depending on the number of transactions an entity processes.
Q: Is this a one-time requirement?
A: No. PCI DSS compliance is an ongoing process. Validation actions vary depending on the actual number of transactions you process. However, the credit card associations require all merchants to comply with PCI DSS at all times. There are two main components of validation:
  1. Completing the PCI Self-Assessment Compliance Questionnaire annually
  2. Undergoing Vulnerability Scans performed by an Approved Scanning Vendor quarterly
Q: What are the requirements for PCI DSS?
A: There are 12 requirements that fall into six categories:
  1. Build and Maintain a Secure Network: Install and maintain a firewall, and use unique, high-security passwords, with special care to replace default passwords.
  2. Protect Cardholder Data: Whenever possible, do not store cardholder data. If there is a business need, you must protect this data. You must also encrypt any data passed across public networks, including your shopping cart and web-hosting providers.
  3. Maintain a Vulnerability Management Program: Use anti-virus, and keep it up date. Develop and maintain secure operating systems and payment applications. Ensure the applications you use are compliant (see www.visa.com/cisp).
  4. Implement Strong Access Control Measures: Access – both electronic and physical access – to cardholder data should be on a “need-to-know” basis. Ensure those people with access have a unique ID and password. Do not share login information.
  5. Regularly Monitor and Test Networks: Track and monitor all access to networks and cardholder data. Ensure you have a regular testing schedule for security systems and processes: firewalls, patches and anti-virus.
  6. Maintain an Information Security Policy: It’s critical that your organization has a resource for how data security is handled at your business. Ensure you have a policy and that it’s disseminated and updated regularly.
Q: How is “cardholder data” defined?
A: Cardholder data is the full magnetic stripe or the Primary Account Number (PAN) plus any of the following:
  • Cardholder name
  • Expiration date
  • Service code
The PCI DSS applies to any of this cardholder data that is stored, processed or transmitted.
Q: Can I store magnetic stripe data? How about the CVV2 and CVC?
A: It is never acceptable to store magnetic stripe data after authorization of the transaction. It is also never acceptable to retain CVV2 and CVC (the last three digits printed on the signature panel) after transaction authorization.
Q: Who is BASYS?
A: BASYS is the leading provider of on-demand data security and payment card industry compliance management solutions to businesses across the United States.
Q: What is the PCI Self-Assessment Questionnaire?
A: The PCI Self-Assessment Questionnaire is a list of questions used to assess your compliance with the requirements of the PCI DSS. In February 2008, the PCI Security Standards Council released four versions of the questionnaire to account for different merchant environments.
  • SAQ A: Addresses requirements applicable to merchants who have outsourced all cardholder data storage, processing and transmission.
  • SAQ B: Created to address requirements pertinent to merchants who process cardholder data via imprint machines or stand-alone dial-up terminals only.
  • SAQ C: Constructed to focus on requirements applicable to merchants whose payment applications systems are connected to the Internet.
  • SAQ D: Designed to address requirements relevant to all service providers defined by a payment brand as eligible to complete an SAQ and those merchants who do not fall under the types addressed by SAQ A, B or C.
Q: What is a network vulnerability scan?
A: A vulnerability scan is an automated, non-intrusive scan that assesses your network and web applications from the Internet (on the external-facing IPs). The scan will identify any vulnerabilities or gaps that may allow an unauthorized or malicious user to gain access to your network and potentially compromise cardholder data.
Q: What if I fail the scan?
A: If you fail the network vulnerability scan, this means that the scan discovered areas of vulnerability in your network of high severity. We will help guide you to remediate a failed scan and work toward achieving compliance. A report will provide a description of the identified issues and resources to begin fixing the problems. You’ll need to address each of the problems and then schedule a directed scan to ensure your remediation of the problem meets the PCI DSS.
Q: What is a directed scan?
A: Many times a vulnerability scan will discover vulnerabilities that need to be resolved in order to maintain compliance. Once you resolve these vulnerabilities, a directed scan can be run upon your request to verify that you have resolved any compliance issues. You may also run a directed scan after you have made changes to your network to ensure that the changes have not affected your compliance status. These are additional scans above and beyond the regular quarterly scans.
Q: What are the penalties and fines associated with a security breach?
A: Per the card associations, the penalties and fines for failure to comply with requirements or to rectify a security issue can be severe. These fines range from $10,000 to $500,000 per incident. If a security breach occurs in your environment, you will be liable for the cost of the required forensic investigations, fraudulent purchases and re-issuing of cards. Please note that you may also lose your credit card acceptance privileges.
Q: Do I have to use a QSA? Where do I find one?
A: Yes, you must use a Qualified Security Assessor that has been approved by Visa and MasterCard. A list of approved Qualified Data Security Companies can be found on the Visa website at www.visa.com/cisp. Trustwave is both a QSA and an Approved Scan Vendor (ASV) for the card associations.
Q: What if my business does not go through this compliance procedure?
A: If you do not comply with the security requirements of the card associations, you put your organization at risk of payment card compromise. You may also be fined by the card associations for noncompliance.
Q: Can our internal staff validate our compliance?
A: No. The card associations require that you use an Approved Scanning Vendor to perform the quarterly vulnerability scans. However, your internal staff can complete the Annual PCI Self-Assessment Questionnaire.
Q: We don’t have time for this. How long will this take?
A: The length of the process varies. Once noncompliance issues have been identified, the length of time it takes an organization to implement solutions to resolve the issues will affect the length of the PCI DSS compliance process. The length of time also varies depending on the resolution and the complexity of the environment.