Syrinx Technologies PCI Information

PCI DSS = Payment Card Industry Data Security Standard

SSC = Security Standards Council

Basically, if you process, transmit or store cardholder data you are obligated to meet ALL of the requirements. There are 6 goals and 12 requirements to the standard. Your level of compliance is determined by the number of transactions your organization processes.

---

News:

• The PCI DSS, PA-DSS, and the PA-DSS Program Guide version 1.2, launched last October, are now all updated to version 1.2.1. As there are no changes to the intention or requirements of the DSS, your compliance programs will be unaffected by the change from DSS 1.2 to DSS 1.2.1. Get more information here.
• On 3/31/2009, the PCI SSC updated their "Prioritized Approach for DSS 1.2". This Excel spreadsheet helps organizations better track their compliance progress. You can get more information here.
• Version 1.2 of the PCI DSS standards was released. Check out the following PDF for more details on the changes. Look at the FAQ below for a short summary of the changes.
• The release date for Version 1.2 is now October 1, 2008. There will be some clarification of existing requirements and removal of some overlapping requirements. A new questionnaire will also be released. The effective date for compliance will be October 1, 2008.
• On May 14, 2008, the PCI Security Standards Council announced the new release date for Version 1.2 of the PCI DSS. The new release date will be October, 2008.
• On April 22, 2008, the PCI Security Standards Council announced the availability of two Information Supplements providing further clarification for PCI DSS requirement 11.3, regarding penetration testing, and Requirement 6.6, regarding application code review and application firewalls. Both of these information supplements provide guidance to help merchants and service providers meet these two requirements in support of their PCI DSS compliance efforts. Both information supplements are now available on the Council’s website at https://www.pcisecuritystandards.org/tech/supporting_documents.htm.
• Version 1.2 of the PCI DSS will be released on June 30, 2008. It will add an application firewall requirement to sections 6.5/6.6.
• The revised compliance date for Level 2 merchants has been extended from December 30, 2007 to March 31, 2008.

---

PCI FAQ

• What are the 5 Stages of PCI Grief?
• What is cardholder data?
• What can never be stored, even if encrypted?
• What are the 12 requirements?
• Where can I go for more information?
• Are penetration tests required? If so, who can perform them?
• What's the difference between a QSA and an ASV?
• What is the latest version of the Self-Assessment Questionnaire (SAQ)? When did it become effective?
• Am I liable if my credit card processor is breached?
• Are there different ways to satisfy requirement 6.6?
• I understand there are 4 different Self-Assessment Questionnaires (SAQ). Which one is right for me?
• What are the most important changes in Version 1.2 of the DSS?
• Does PCI compliance apply to non-profit organizations?
• What is MOTO?
• What's the difference between PED and EPP?
• What's the difference between compliance and validation?
• What wireless standard for encryption is required?
• Where can I get more information on wireless requirements?

---

Q: What are the 5 Stages of PCI Grief?
A:

1. Denial (This doesn't apply to my firm)
2. Anger (This isn't fair)
3. Bargaining (Maybe it does apply to my firm)
4. Depression (How much will this cost)
5. Acceptance (This is a good thing)

TOP

Q: What is cardholder data?
A:

• Primary Account Number (PAN)
• Cardholder Name
• Expiration Date
• Service Code
• Sensitive Authentication Data
• Full magnetic stripe data
• Card Validation Code/Value
• PIN

TOP

Q: What can never be stored, even if encrypted?
A:

• Full magnetic stripe
• Card Validation Code/Value
• PIN/PIN block

TOP

Q: What are the 12 requirements?
A:

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.

TOP

Q: Where can I go for more information?
A:

• PCI Security Standards
• VISA Cardholder Information Security Program (CISP)
• Mastercard Site Data Protection Program
• Discover Information Security & Compliance
• JCB Global Site
• American Express Data Security
• Ten Common Myths of PCI DSS

TOP

Q: Are penetration tests required? If so, who can perform them?
A: Yes, penetration tests are required for any systems/networks that participate in storing, processing or transmitting data, according to PCI Standard 11.3. The minimum frequency for testing is annually. The tests can be performed by any competent firm offering penetration testing or the company can use internal resources if they are qualified. The outside firms do not have to be ASV or QSA certified. The testing is limited to those computing resources associated with the cardholder data.

TOP

Q: What's the difference between a QSA and an ASV?
A: A Qualified Security Assessor (QSA) is a firm certified by the PCI Security Standards Council to perform the annual audits required for Level 1 Merchants. An Approved Scanning Vendor (ASV) is certified to perform the quarterly scanning required by all levels.

TOP

Q: What is the latest version of the Self-Assessment Questionnaire (SAQ)? When did it become effective?
A: The latest version of the SAQ is version 1.2. It was released in October, 2008.

TOP

Q: Am I liable if my credit card processor is breached?
A: It depends, but it is certainly possible. If you use a 3rd party service provider to process your credit card transactions it is your responsibility to ensure they are PCI compliant. If they aren't and they are breached you can be held liable also. There are known cases of that happening currently.

TOP

Q: Are there different ways to satisfy requirement 6.6?
A: Possibly, depending on your situation one of the following may satisfy the requirement:

• Perform a code review of all in-house developed web applications.
• Run all web application code through automated code analysis tools.
• Perform a manual penetration test on each web application.
• Purchase and install an application layer firewall in front of each web server.

TOP

Q: I understand there are 4 different Self-Assessment Questionnaires (SAQ). Which one is right for me?
A: Please refer to the following table:

SAQ Validation Type	Description	SAQ
1	Card-Not-Present (e-Commerce or MOTO)merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.	A
2	Imprint-only merchants with no cardholder data storage.	B
3	Stand-alone dial-up terminal merchants, no electronic cardholder data storage.	B
4	Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.	C
5	All other merchants and all service providers defined by a payment brand as eligible to complete an SAQ.	D

TOP

Q: What are the most important changes in Version 1.2 of the DSS?
A:

• Removed requirement to disable broadcast wireless SSID.
• For new wireless implementations after March 31, 2009, WEP is prohibited.
• For existing wireless implementations, WEP is prohibited after June 30, 2010.
• Included Unix-based systems in anti-virus requirement.
• Under 11.3, clarified rule that both internal and external testing is required.

TOP

Q: Does PCI compliance apply to non-profit organizations?
A: Yes, neither the PCI SSC nor the acquiring banks are likely to give you a free pass just because your stated goal is to be a non-profit organization. The liability and risks still exist and need to be addressed. In fact, because you are a non-profit organization the effects of a data breach could be even more damaging to your business due to the fines and other possible penalties.

TOP

Q: What is MOTO?
A: MOTO = Mail Order/Telephone Order. This refers to vendors who either take credit card data over the phone or by mail.

TOP

Q: What's the difference between PED and EPP?
A: PED = PIN Entry Device. This device is the familiar "card swipe" at a merchant location. It usually contains a PIN pad (keypad), display and a card reader. EPP = Encrypting PIN Pad (keypad). An EPP is typically located at an ATM and does not contain a display or card reader. The PCI DSS has technical requirements for both PED and EPP devices.

TOP

Q: What's the difference between compliance and validation?
A: Compliance is the process of implementing the security controls and policies required by the standard. Validation is the process of proving that you are compliant. PCI compliance requires both functions to be performed.

TOP

Q: What wireless standard for encryption is required?
A: For new wireless implementations, it is prohibited to implement WEP after March 31, 2009. For current wireless implementations, it is prohibited to use WEP after June 30, 2010.

TOP

Q: Where can I get more information on wireless requirements?
A: The PCI SSC has released a PDF detailing Wireless Guidelines for PCI compliance. Read more here.

TOP