What is the PCI DSS (PCI Data Security Standards)?
By the Payment Card Industry Security Standards Council introduced worldwide Payment Card Industry Data Security Standard (PCI DSS). The standard was created to help organizations that process card payments (instant check out) prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.
Validation of compliance can be performed either internally or externally, depending on the volume of card transactions the organization is handling, but regardless of the size of the organization, compliance must be assessed annually. Organizations handling large volumes of transactions must have their compliance assessed by an independent assessor known as a Qualified Security Assessor (QSA), while companies handling smaller volumes have the option of self-certification via a Self-Assessment Questionnaire (SAQ). In some regions these SAQs still require signoff by a QSA for submission
The current version of the standard specifies 12 requirements for compliance, organized into six logically related groups, which are called “control objectives.”
Here is set of control objectives and PCI DSS.
A. Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
B. Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
C. Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
D. Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
E. Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
F. Maintain an Information Security Policy
12. Maintain a policy that addresses information security
PCI DSS history and updates release information.
PCI DSS originally began as five different programs: Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program. Each company’s intentions were roughly similar: to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. The Payment Card Industry Security Standards Council (PCI SSC) was formed, and on 15 December 2004, these companies aligned their individual policies and released the Payment Card Industry Data Security Standard (PCI DSS).
In September 2006, the PCI standard was updated to version 1.1 to provide clarification and minor revisions to version 1.0. Version 1.2 was released on October 1, 2008. Version 1.1 “sunsetted” on December 31, 2008. v1.2 did not change requirements, only enhanced clarity, improved flexibility, and addressed evolving risks/threats. In August 2009 the PCI SSC announced the move from version 1.2 to version 1.2.1 for the purpose of making minor corrections designed to create more clarity and consistency among the standards and supporting documents.
Author: Gaurav Maniar – MCITP – Windows Server Specialist
Window Hosting Security, Exchange Messaging System, Server Security Audit, Domain (ADS) Infrastructure