PCI - Last update: 06/07/2008

PCI DSS = Payment Card Industry Data Security Standard

Basically, if you process, transmit or store cardholder data you are obligated to meet the requirements. There are 6 goals and 12 requirements to the standard. Your level of compliance is determined by the number of transactions your company processes.


News:

  • On May 14, 2008, the PCI Security Standards Council announced the new release date for Version 1.2 of the PCI DSS. The new release date will be October, 2008.
  • On April 22, 2008, the PCI Security Standards Council announced the availability of two Information Supplements providing further clarification for PCI DSS requirement 11.3, regarding penetration testing, and Requirement 6.6, regarding application code review and application firewalls. Both of these information supplements provide guidance to help merchants and service providers meet these two requirements in support of their PCI DSS compliance efforts. Both information supplements are now available on the Council’s website at https://www.pcisecuritystandards.org/tech/supporting_documents.htm.
  • Version 1.2 of the PCI DSS will be released on June 30, 2008. It will add an application firewall requirement to sections 6.5/6.6.
  • The revised compliance date for Level 2 merchants has been extended from December 30, 2007 to March 31, 2008.

PCI FAQ


Q: What are the 5 Stages of PCI Grief?
A:
  • - Denial (This doesn't apply to my firm)
  • - Anger (This isn't fair)
  • - Bargaining (Maybe it does apply to my firm)
  • - Depression (How much will this cost)
  • - Acceptance (This is a good thing)
TOP

Q: What is cardholder data?
A:
  • Primary Account Number (PAN)
  • Cardholder Name
  • Expiration Date
  • Service Code
  • Sensitive Authentication Data
    • Full magnetic stripe data
    • Card Validation Code/Value
    • PIN
TOP

Q: What can never be stored, even if encrypted?
A:
  • Full magnetic stripe
  • Card Validation Code/Value
  • PIN/PIN block
TOP

Q: What are the 12 requirements?
A:
  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update anti-virus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.
TOP

Q: Where can I go for more information?
A:

TOP

Q: Are penetration tests required? If so, who can perform them?
A: Yes, penetration tests are required for any systems/networks that participate in storing, processing or transmitting data, according to PCI Standard 11.3. The minimum frequency for testing is annually. The tests can be performed by any competent firm offering penetration testing or the company can use internal resources if they are qualified. The outside firms do not have to be ASV or QSA certified. The testing is limited to those computing resources associated with the cardholder data.

TOP

Q: What's the difference between a QSA and an ASV?
A: A Qualified Security Assessor (QSA) is a firm certified by the PCI Security Standards Council to perform the annual audits required for Level 1 Merchants. An Approved Scanning Vendor (ASV) is certified to perform the quarterly scanning required by all levels.

TOP

Q: What is the latest version of the Self-Assessment Questionnaire (SAQ)? When did it become effective?
A: The latest version of the SAQ is version 1.1. It was released on February 6, 2008.

TOP