This article provides you with detailed information and also acts as a guide to help the IT managers, fintech managers, management executives, stakeholders, to understand how PCI DSS compliance can be applied in their organization’s business transactions with the customers' payment card’s data.
PCI-DSS compliance
The main objective is to eradicate the interoperability problems among the existing standards and to gradually reduce credit card fraud. Since the release of version 1.0 2004. It has been widely recognized and implemented across the globe.
In addition to that following teams such as IT security management, network, server, application developers, database managers, legal, marketing, sales, HR, front-line managers, as well as anyone interested in payment security., are also responsible to make this implementation successful.
In December 2004, The Payment Card Industry-Security Standards Council (PCI SSC) 💳 was formed by 4 American and 1 Japanese multinational financial-services corporations such as (American Express, Discover, MasterCard, Visa Inc, and JCB International).
Image Source: Payment Card Industry-Security Standards Council (PCI SSC).
Suddenly you are wondering, what on earth😇! These big giants came together and "created” and “accepted” one common Industry Data Security Standards and principles. Well the ambiance of the business model that says it all, their products & services are functioning on the underlying financial models, principles such as most commonly through Gift Cards, credit cards, debit cards, and prepaid cards. Each individual organizations put forward their objectives, principles, values, policies to the council members. Also, one thing should be highlighted here “All founding Members share equal ownership, governance, and execution rights of the PCI DSS’s work.
Through this journey of financial Council formation, the “Payment Card Industry Data Security Standard (PCI DSS)” compliance was created.
The main objective to eradicate the interoperability problems among the existing standards, and to gradually reduce credit card fraud. Since the release of version 1.0 in 2004. It has been widely recognized and implemented across the globe.
The following versions of the PCI DSS have been made available to the general public and organizations:
Figure1.Payment Card Industry Data Security Standard (PCI DSS)-Versions.
Please, Note Version 4.0 is in the release stage to the general public. Here is the timeline for your understanding; hope it can satisfy your excitement!
Figure 2. Payment Card Industry Data Security Standard (PCI DSS)-Version 4.0.
Applicable Audience: Who Must Comply?
It’s applicable to the company’s that accepts and process electronic transactions such as through debit cards, credit cards, store customers card data, or any other personally identifiable information (PII) data associated with the payment card transactions. In 2019, more than 1.92 billion people purchased goods and services online.
Statistics to bite: In exchange for goods or services from merchants across the globe whether it's a micro or macro seller. According to a recent MasterCard presentation at a payment security conference presented a fascinating statistics indicate there are more than 37,000,000 (37 million) merchant locations where payment card data is stored.
That being said, Visa Inc believes that they work with over 46,000,000 (46 million) merchant locations, worldwide! and VISA Inc process 65,000+transaction messages per second.
Figure 3.ranked by acceptable locations. Source: Nilson Report.
Business merchants from each of those locations could potentially be storing weeks, months, or years of customer’s payment card data in places where intruders (identity stealers) a.k.a hackers come to prey on it.
During the same year, E-commerce sales surpassed 3.5 trillion U.S. dollars worldwide, and growth will accelerate even further in the next 5 years.
Merchant Level metrics:
There are 4 levels of PCI Compliance metrics, and these metrics are based on how many transactions you processed annually as shown in Figure4.
Figure4. Total transactions per annum.
The above set of numbers on each level gives you information about a particular process of PCI DSS compliance. When any “Micro-to-SMB-to-large business failed to inherit, failed to comply with PCI DSS compliance, failed to reduce safeguard and reduce the risks on the data. They may face penalties of millions of dollars.
Service Provider Level metrics:
Figure 5. Service Provider Level metrics.
Specifically, you can use it as provided in the following:
The goal of PCI DSS:
To reduce the fraud risk of payment card transactions by motivating merchants and service providers to protect card data.
What matters to the organization is that PCI-DSS is aimed at reducing the fraud risk of transactions; and it seeks to accomplish it by persuading the merchants and service providers around the globe to give a lot of attention to many key aspects of data security including network security, system security, web application security, security awareness, and security policy.
The highlight of the context, it encourages business merchants to drop cardholder data exclusively and conduct their business in a way that eliminates costly and risky data storage and on-site data processing.
Governance, Risk management, and Compliance (GRC):
Alright, before getting into the PCI-DSS Compliance in detail, it’s recommended to understand and get an idea about what is Governance, Risk management, and Compliance (GRC). Feel free to march forward, it’s gonna take 2–3 minutes to understand the GRC.
In 2007, the GRC research was conducted on three key organizational practices such as governance, risk management, and compliance (GRC). The GRC is a structured approach, and carries the main motto “achieves objectives, addresses uncertainty and acts with integrity”. By processing the risk, meeting with the compliance one can achieve and align with IT with business objectives successfully.
Figure 6. Governance, risk management, and compliance (GRC).
From a small and medium-sized enterprise (SMEs) to a large enterprise, regardless of their products & services, security metrics are considered to be an important program to run within the organization. Security accomplishes certain security goals, maintains the CIA, meets security compliance rules, conducts risk management, and deals with the local privacy & security laws.
The security metrics can be Implemented with industry-standard benchmarking tools to layout the security vision, identify the security gaps (identity/analyze/measure) the risks, to accomplish within the defined time-frame by the executives.
Figure 7. IT-GRC management key capabilities.
Digital payment Ecosystem:
These are the entities involved in the payment card system.
Figure 8. Digital payment Ecosystem.
We discussed the compliance evaluation metrics in figure 4 & figure 5. Likewise every individual organization process the evaluation and confirmation that all the required controls & measures have been properly implemented according to the data security policies recommended by the PCI DSS. A PCI DSS assessment has the following entities.
Qualified Security Assessor (QSA):
The PCI Council’s Qualified security assessor (QSA) members are permitted to conduct on-site assessments on Data security standard compliance. This assessment prerequisite companies to process the application with tough business, capability, and administrative requirements. In great detailed qualifications and requirements, information can be found on the PCI Council Website.
1.1 Payment Application Qualified Security Assessors (PA-QSAs):
It is part of the Payment Application Data Security Standard (PA-DSS) program carried out by Visa Inc under the category of Payment Application Best Practices (PABP) program.
Tip: To verify the QSA credentials in the QSA Employee Lookup, you may refer to this website.
1.2 PCI Forensic Investigators (PFIs):
It combines all assessment programs and performs forensic investigations. It does not require any training requirements but members should hold preferred qualifications.
2. Internal Security Assessor (ISA):
A certified Internal Security Assessor (ISA) is an individual who has earned a certificate from the PCI Security Standards Company for their sponsoring organization. They are in charge of cooperation and participation with QSAs members, and their expertise is to perform PCI self-assessments for their organization. It was designed to help Level 2 merchants to achieve the new Mastercard compliance validation requirements. As the ISAs are upheld by the organization for the PCI SSC affirmation.
3. Self-Assessment Questionnaire (SAQ):
The self-assessment questionnaires (SAQ) are composed of “Yes or No”, questionnaires and their request to be completed by every year and submit to their transition bank. Moreover, like a validation tool to assist the business merchants and service providers to achieve the assessment objective. In the event of the given response is “No”, merchants should highlight and provide valid reasons for the evaluation.
4. Report on Compliance (ROC):
A Report on Compliance (ROC) is a form filled with questionaries that have to be filled up by all “Level 1” merchants whoever is processing auditing. It is used to validate the merchant has been audited according to the PCI-DSS standard. ROC auditing guarantees that policies, strategies, approaches, and internal workflow are developed, implemented by the respective organization.
Top 12 PCI-DSS REQUIREMENTS :
There are 12 requirements for building and maintaining a successful secure network and payment systems. We will run through each individual requirements in detail.
Figure 9.Top 12 PCI-DSS REQUIREMENTS.
Some of the sections cover a vast spectrum of information areas in the technology, policy, and principles. Because the way PCI-DSS was created is more comprehensive in nature and offer you comprehensive training in all aspects of the business. So, it’s crystal clear and makes the job easier for both the companies and the assessment auditors that have to comply with the standards. One of the best things about using PCI-DSS is you can take necessary requirements for your business, and expand it beyond the confines of cardholder data.
One more thing to be aware don’t ever treat your subsidiaries as lower levels metrics as sown in Figure4. Total transactions per annum. For instance, Your parent organization doing “Level 1-more than 76 million transactions/annum”, and your subsidiaries processing “Level 2–1to6 million transactions/annum”, and the subsidiary one sharing the customer’s payment card data’s to the parent organization. In this case, according to VISA Inc requirements the subsidiaries are treated as “Level 1”, you have to do the “Level 1” assessment and auditing on both Parent and subsidiary, failing to adhere will lead to a subsequent amount of fines in dollars. Many organizations surpassed the compliance dates and not validated, these organizations are at immense risk of fines and other business-related unforeseen consequences.
PROJECT QUICKSTART GUIDE:
Indeed PCI-DSS can seem like an overwhelming task to any individuals. such aphorisms as “continuos practice is the name everyone gives to their Experiences”. You may wonder where to start or quickly go through the compliance steps without getting a hitch in the process. This particular section will get you on tract in the right direction and give you the first step toward getting your organization compliant with PCI DSS, also do not forget ot check it out the Figure 9.Top 12 PCI-DSS REQUIREMENTS.
— — — — — — — Build and maintain a secure network — —— — — —
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
To learn and understand this requirement is very easy because PCI-DSS made it easy for us by guiding what type of firewalls, routers, to use, how to configure, maintain and protect them. The concepts of defense-in-depth and layered security best represent the idea of building and maintaining a secure network.
We will refer to the “Layers of security” concepts to understand where “Firewall” functioning. A firewall is one that examines all network traffic and blocks that unwanted traffic that does not meet the defined administrator rules. Every system must be protected from unauthorized access outside the network. Find the untrusted paths in the network such as internal to external flow, email, applications, web browsers, dedicated connections, B2B, wireless networks, outdated protocols, and other sources to consider.
Figure 10.Layers of security.
The outermost layer is the one important when it comes to Physical protection. The Perimeter and network security layer contain the devices that make up your internal network infrastructure secure. Firewalls, intrusion prevention and detection systems (IPS/IDS), and even switches with security functionality all contribute to this layer of security.
Next is the End-point security that you might have installed Host-based intrusion detection and prevention, anti-malware/anti-ransomware software, application control, and other security measures that may include patching-up/ hardening of the different operating system.
The next layer covers the Application security. Any hardening of the application, access controls, and file or directory permissions are essential in this layer.
The final layer covers protecting the Data security. Encrypting the “data at rest/data at transit/data in use” stored on the system is one of the effective security measures to protect and ensure the CIA triad.
Scope and assessment of Requirement 1:
We will learn about the list of requirements, testing procedures, and guidance.
(I)Establish Firewall Configuration Standards.
(ii)Denying Traffic from Untrusted Networks and Hosts.
(iii)Restricting Connections.
(iv)Personal Firewalls.
(v)Other Considerations for Requirement 1.
Figure 11. Scope and assessment of Requirement 1.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters:
An internal or external threat actor often use vendor specified default username, passwords, and other vendor default parameters to compromise an enterprise system. These default set of passwords and parameters are well known by hacker communities and are easily gathered via publicly known information.
(I)Default Passwords.
(ii)Simple Network Management Protocol Defaults.
(iii)Delete Unnecessary Accounts.
(iv)Develop Configuration Standards.
(v)Implement Single Purpose Servers.
(vi)Configure System Security Parameters.
(vii)Encrypt Non-console Administrative Access.
(viii)Hosting Providers Must Protect Shared Hosted Environment.
Figure12.PCI-DSS Requirement 2-Scope & Assessment.
— — — — — — —— — Protect Cardholder Data — — — — — —— — —
Requirement 3: Protect stored cardholder data:
In this chapter, we will discuss the goals of the security principles (confidentiality, integrity, and availability), approaches that should be implemented on any system. Some popular protection methods such as symmetric/Asymmetric based encryption, truncation, masking, and hashing are critical components of cardholder data protection policies that are quite helpful to manage the network. once you learned what, how one should implement access controls within the organization, and meet the PCI compliance.
Principles of Access Control:
(I)Confidentiality.
(ii)Integrity.
(iii)Availability.
(iv)Principle of least privilege.
Figure13.PCI-DSS Requirement 3-Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks:
All types of sensitive information should be encrypted during data on transmission over networks. Misconfigured wireless networks and vulnerabilities in legacy encryption protocols and authentication protocols continue to be an easy target for threat actors. An exploit can be done when these vulnerabilities are discovered and vulnerable enough to gain privileged access to cardholder data environments.
Figure 14.PCI-DSS Requirement 4-Encrypt transmission.
— — — —— Maintain a Vulnerability Management Program — — — —
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs:
Figure 15.PCI-DSS Requirement 5: Protect all systems against Malware.
Requirement 6: Develop and maintain secure systems and applications:
Security exposure occurs when a threat actor or a group takes advantage of the security vulnerabilities present on the applications or any platform to gain privileged access to systems.
Security Risks of Open Source — (So, Act first rest later):
What these practices recommend the team members should aware (keep-an-eye) of newly released modules, updates, notices in the community to find a patch and keep it updated. When you are lagging to do the upgrades to the latest version, in the meantime the adversaries could do the reconnaissance on your environment and could launch an exploit. So, Act first rest later.
In both public and private sector organizations pretty much the majority of software projects are built using 3rd-party components and open-source tools.
So, the vulnerabilities drive through your organizations rapidly than ever before, following the commercial and non-commercial codes, tools are crucial for a successful secure SDL.
The dependency can’t be controlled on modern software projects, because from open-source software to operating systems, from back-end to front-end-user interface.
In case if you are new to secure SDLC practices, better spend some time reading this article get familiar with the concepts.
Figure 16.Requirement 6: Develop and maintain secure systems and applications.
— — — — — — Implement Strong Access Control Measures — — — —
Requirement 7: Restrict access to cardholder data by business need to know:
Our primary focus is to ensure the critical data can only be accessed by authorized personnel, all systems, and access processes must be in place to limit access based on “Need to know”, and according to job responsibilities.
This concept was used mostly by the government and in military operations. The restriction applied to information which is labeled as “sensitive/secret/Top-secret” documents, for instance, if the person has a security clearance to access certain information in the government he may not able to access the restricted information under “need to know” privileges.
“Need to know” means when access rights are granted to only the least amount of data and privileges needed to perform a job.
Figure 17. Requirement 7: Restrict access to cardholder data by business need to know.
Requirement 8: Identify and authenticate access to system components:
By assigning a unique identification (ID) tag to each person with access ensures that each individual is uniquely accountable for their own good or bad actions. When such accountability is in place, actions taken on critical data and systems are performed by and can be traced to, known and authorized users and processes. This is very crucial in the fintech industries.
The superpower of a password is largely determined by the design and implementation of the authentication system — particularly, determining the frequency of password attempts can be made by an attacker and the security methods to protect user passwords at the point of entry, during data in transit, data in use, and data at rest.
Figure 18. Requirement 8: Identify and authenticate access to system components.
Requirement 9: Restrict physical access to cardholder data:
In this requirement, the primary aspect is to restrict physical access to the cardholder's stored data, hard copies, and devices. On-premises appointed employee’s main responsibility is to protect it.
Figure 19. Requirement 9: Restrict physical access to cardholder data.
— — — — — — Regularly Monitor and Test Networks — — — — — —
Requirement 10: Track and monitor all access to network resources and cardholder data:
Security information and event management is a practical approach to overall security management to PCI-DSS, that combines SIM (security information management) and SEM (security event management) functions into one security management system. SIEM’s ability to track user general and abnormal activities which are critical to the cardholder's data in the system. By using SIEM technology with “Bayes’ theorem”, one could describe the probability of an event, based on prior knowledge of normal/abnormal conditions that might be related to the security event or security incident.
Figure 20. Bayes’ theorem.
I love “Bayes Theorem”😎, so I suggested it for your considerations. Any reason to hate?, i don't think so.
Figure 21. Requirement 10: Track and monitor all access to network resources and cardholder data.
PCI-DSS-Requirement 11: Regularly test security systems & processes:
A Penetration test is an authorized simulated security analysis task, often performed in conjunction with your computer system/Applications/Network, to evaluate the security status of the system. The objective of a penetration test practice is to uncover existing or likely new potential vulnerabilities resulting from coding errors, system configuration faults, or other operational deployment weaknesses with a variety of vulnerabilities.
(a) Threats and vulnerabilities that exist in the project’s environment.
(b) It is very important to carefully evaluate any external code from other sources. when the team is unaware of the code likely to cause security vulnerabilities.
(c) A review of the high-risk (P1) vulnerability and privacy projections should discuss with a privacy subject-matter expert (SME).
(d) A detailed privacy analysis to document your project’s key privacy aspects.
(I) What personal data is collected?
(ii) What is the compelling user value proposition and business justification?
(iii) What notice and consent experiences are provided?
(iv) What controls are provided to users and enterprises?
(v) How is unauthorized access to personal information prevented?
Figure 22. PCI-DSS-Requirement 11: Regularly test security systems & processes.
— — — — — Maintain an Information Security Policy — — — — —
Requirement 12: Maintain a policy that addresses information security for all personnel:
A strong security policy is crucial for every public and private entity’s around the globe. The major purpose of this requirement is to make everyone to understand the sensitivity level and metrics of the cardholder’s data, and the responsibilities they hold.
Figure 23. Requirement 12: Maintain a policy that addresses information security for all personnel.
CONCLUSION:
This article acted as the simplified guide that gives some background on why the PCI-DSS council was created, it describes objectives at the best, and it outlined the 12 requirements in PCI-DSS compliance standard. Remember, you will probably need to adjust the milestones in every requirement practices to fit more appropriately into your company’s current PCI-DSS compliance plan.
When you start to work on your compliance planning project, make sure to check and follow-up with the PCI-DSS council’s website and recent requirements versions published by them, and apply it to your organization. because this article does not cover the entire PCI-DSS requirements, guidance, and definition based scenarios.
Bye for now (adiós por ahora)!!!
— — — — — — — — — — — — — -THE END — — — — — — — — — — —
Quote of the day: 已所不欲,勿施于人 (yǐ suǒ bú yù ,wù shī yú rén).
Explanation: Never impose on others what you would not choose for yourself.
Thanks for reading!
Have a pleasant day!