Monday, January 2, 2017

Payment Card Industry Data Security Standard - PCI DSS




PCI DSS fundamentals. 

PCI DSS requirements apply to any organisation that stores or transmits the following:

Primary Account Number
Cardholder Name
Expiration Date
Service Code
Full track data *
CAV2/CVC2/CVV2/CID *
PIN *

*these items are determined extremely sensitive and cannot be stored after authorisation even if encrypted

PCI-DSS applies to all system components in the CDE – Cardholder data environment.  The CDE is comprised people, processes and technologies that store, process or transmit cardholder data (as above)



Merchant Levels

There are different levels of merchants: Level 1 thru Level 4 with level 1 being the highest. In general merchant level is determined by transaction volume and classification varies between Service Provider (Amex, Visa and Mastercard).  

There is a misconception that the degree to which you must comply with PCI DSS varies among the different levels. In fact merchants must comply with the entire DSS regardless of their level. The only variant is the way and frequency that compliance is reported upstream.  The exact scope of compliance validation is determined by merchant level (transaction volume, card brand, and method of accepting cards). Also if a merchant has been subject to a hack that has left card data comprised this raises them to Level 1!

Level 1            ASV Scan, QSA on-site assessment
Level 2            ASV Scan, SAQ self-assessment
Level 3            ASV Scan, SAQ self-assement
Level 4            ASV Scan if requested by acquirier, SAQ self-assessment

Notes:
ASV = Approved Scanning  Vendor
SAQ = Self-Assessment Questionnaire



PCI DSS Scope
The first step in a PCI DSS Assessment is to determine the scope of the CDE.  Ongoing this must also be revisited at least annually.  As mentioned the CDE is comprised people, processes and technologies that store, process or transmit cardholder data.  Scoping needs to identify all locations and flows of cardholder data, and identify all systems that are connected or if compromised could impact the CDE.

To achieve this goal
i)              Document existence of all cardholder data in the environment
ii)             Any cardholder data found IS in scope of PCI-DSS
iii)            The only way to descope is to delete or migrate the data

One common strategy to limit PCI DSS scope is to ensure network segmentation is in place. Physically or logically separated networks




PCI Requirements
The PCI is comprised of 12 requirements that cover a wide array of business areas.