PCI DSS nedir? PCI standartları nelerdir? Pci dss штраф
Штрафы за невыполнение требований PCI DSS
В каждой статье мы говорим о том, что требования стандарта PCI DSS необходимо выполнять всем компаниям, которые связаны с индустрией платёжных карт.
А что будет, если не выполнять требования стандарта?
В этой статье мы подробно разберём, какие могут быть последствия за невыполнение требований стандарта PCI DSS.
Международная платежная система VISA выпустила информационный бюллетень, напоминающий компаниям о соблюдении требований программ безопасности «Visa Cardholder Information Security Program (CISP)» и «Account Information Security (AIS)», регламентирующих обязательное прохождение PCI DSS -сертификации.
Этот бюллетень был выпущен 31 июля 2014 года специально для всех компаний, которые являются участниками индустрии платежных карт. К таким компаниям относятся финансовые учреждения, сервис-провайдеры, торгово-сервисные предприятия и пр.
Очень важно отметить следующее: данным информационным бюллетенем VISA поставила в известность всех участников индустрии платежных карт о вводе в действие усиленного Плана соблюдения PCI DSS – соответствия (PCI DSS Enforcement Plan) с 1 января 2015 года.
О чём сказано в этом плане соблюдения PCI DSS?
Согласно данному плану финансовые учреждения (далее – клиенты VISA), подключенные к Международной платежной системе VISA, с 1 января 2015 года должны запрашивать у своих торгово-сервисных предприятий, агентов или сервис-провайдеров документацию (Report on Compliance, Attestation of Compliance, Self-Assessment Questionnaire или План устранения несоответствий требованиям стандарта PCI DSS (Remediation Plan)), подтверждающую прохождение данным сервис-провайдером или торгово-сервисным предприятием оценку на соответствие требованиям стандарта PCI DSS.
По сути это подтверждение того, что данный сервис-провайдер или торгово-сервисное предприятие соответствует всем требованиям стандарта PCI DSS. Данная документация должна предоставляться платежной системе VISA.
Но что будет, если предприятия, о которых мы говорили выше не прошли сертификацию и не соответствуют требованиям стандарта PCI DSS?
С 1 января 2015 года согласно требованиям VISA (PCI DSS Enforcement Plan) к сервис-провайдерам и торгово-сервисным предприятиям, не прошедшим оценку и сертификацию на соответствие требованиям стандарта PCI DSS, могут быть применены санкции, включая штрафы.
Давайте более подробно рассмотрим санкции, которые могут быть применены к компаниям, вовремя не подтвердившим соответствие стандарту PCI DSS.
Дни просрочки от 1 до 60:
Компания, присутствующая в Visa Global Registry of Service Providers, будет выделена «желтым» цветом. Это не относится к сервис-провайдерам или торгово-сервисным предприятиям, которым для подтверждения PCI DSS – соответствия требуется заполнение листа уровня «D» – «Self-Assessment Questionnaire (SAQ) D» (самостоятельное заполнение опросного листа).
Клиенты VISA должны уведомить свои торгово-сервисные предприятия, а также своих агентов или сервис-провайдеров о необходимости предоставления им документации, подтверждающей прохождение данным сервис-провайдером или торгово-сервисным предприятием PCI DSS – сертификации или Плана устранения несоответствий требованиям стандарта (Remediation Plan).
Дни просрочки от 61 до 90:
Компания, присутствующая в Visa Global Registry of Service Providers, будет выделена «красным» цветом. Это не относится к сервис-провайдерам или торгово-сервисным предприятиям, которым для подтверждения PCI DSS – соответствия требуется заполнение листа уровня «D» – «Self-Assessment Questionnaire (SAQ) D» (самостоятельное заполнение опросного листа).
Дни просрочки от 91 до 180:
Компания будет удалена из Visa Global Registry of Service Providers. Это не относится к сервис-провайдерам или торгово-сервисным предприятиям, которым для подтверждения PCI DSS – соответствия требуется заполнение листа уровня «D» – «Self-Assessment Questionnaire (SAQ) D» (самостоятельное заполнение опросного листа).
PCI DSS nedir? PCI standartları nelerdir? – 24 Solutions
PCI DSS nedir, Türkiye’de PCI DSS hizmeti nasıl alınır gibi sorulara yanıt olarak sektöründe öncü 24 Solutions, sizin için gerekli tüm uyum ve denetim işlemleri gerçekleştirmektedir. PCI DSS, Payment Card Data Security Standard ifadesinin kısaltması olup, Türkçe’ye Ödeme Kartları Endüstrisi Veri Güvenliği olarak geçmiştir. Dünya genelinde kullanılan bu standart sayesinde, kart ödemelerinin güvenli bir şekilde yapılması, sahtecilik ve dolandırcılık işlemlerine karşı etkin bir koruma sağlanmaktadır. Visa, Master Card, American Express, Diner Club ve JCB’nin yer aldığı PCI SSC adı verilen konsey tarafından kurulmuş olan bu sistem teknik ve operasyonel bir sistemdir.
PCI DSS sadece kredi kartı ile işlem yapan üye işyerleri ve bankalar için geçerli olmakla kalmayıp, kart sahibinin bilgilerini gizleyen ya da ileten tüm hizmet sağlayıcılarını da kapsamaktadır. Bir başka deyişle, kredi kartı sahiplerinin bilgilerini güven altında tutmak için oluşturulmuş PCI DSS standartlarına uymayan firmalar, kredi kartı ile satış yapamazlar. Bu standartlara uymayan firmaların, bir an evvel gerekli güncellemeleri gerçekleştirmesi gerekmektedir. Aksi halde yetkinin durdurulmasına kadar varan yaptırımlarla karşılaşılabilmektedir.
PCI DSS denetimine tâbi ödeme kartları
Ödeme kartı denildiğinde akla sadece kredi kartı da gelmemelidir; zira debit card olarak adlandırılan ve ülkemizde para kart, maaş kartı, banka kartı ve tele kart gibi farklı isimlerle ifade edilen ve bankadaki vadesiz hesaplara erişim sağlayan kartlar da yine PCI DSS standartlarına uyumlu olmak zorundadır. PCI DSS hizmetleri sonucunda ödeme kartlarında bulunan bilgiler kişi, kurum ve banka arasındaki güvenliğin Kimlik Doğrulama (Authentication) ve Yetki (Authoziation) adımlarını kolaylaştırarak, kart sahiplerine güvenli ve kolay bir ödeme aracı kullanma imkanı sağlamaktadır.
PCI DSS standartları sayesinde veri güvenliği maksimum seviyede sunulmaktadır. Veri güvenliği denildiğinde ise Gizlilik (Confidentiality), Bütünlük (Integrity) ve Erişebilirlik (Availability) devreye girmektedir. Bu öğelerin etkin bir şekilde ödeme sistemine yansıtılması ile birlikte, kartlı alışveriş sistemlerinde veri güvenliği de sağlanmış olmaktadır.
PCI DSS, kredi kartı ile alışveriş imkanı sunan tüm e-ticaret sitelerini, ödeme altyapısı sunan firmaları, bankaları; kısaca kredi kartı bilgisi tutan tüm işletmeleri ilgilendiren ve hayati önem taşıyan bir konudur. Kredi kartı ile işlem yapılmasına izin veren, sistemi üzerinden kart bilgisi geçiren veya bu bilgileri kaydeden işletmelerin PCI DSS standartlarına uygun olması, bir başka deyişle gereksinimleri yerine getirmesi gerekmektedir.
PCI DSS uyumluluğu nasıl sağlanır?
PCI DSS uyumluluğunun sağlanabilmesi için üç temel süreçten geçmek gerekmektedir:
- Kart ödemelerinin işleme nasıl sokulduğunun analizi yapılır.
- Kart işlemleri esnasındaki tüm veri akışlarının tespit işlemi gerçekleştirilir.
- Kart sahiplerinin hassas bilgilerinin güvenli bir şekilde kullanılıp kullanılmadığı tespit edilir.
- Kart sahiplerine ilişkili olarak hangi bilgilerin tutulduğu belirlenir ve bu bilgilerin ne şekilde saklandığı belirlenir.
- Kart sahibi bilgilerinin üçüncü şahıslarıne eline geçme riskleri araştırılır ve mevcut güvenlik açıklarının taraması yapılır.
- Gerekli iyileştirme faaliyetleri gerçekleştirilir.
- Zafiyet taramasının ardından, tespit edilen güvenlik açıkları kapatılır.
- Kart sahibi bilgilerinin gerekli haller dışında kullanılmaması sağlanır.
- PCI DSS standardı çerçevesinde, uyum doğrulama gereksinimlerinde belirtilen periyotlarda, standartlara uygun biçimde denetleme ve belgelendirme işlemleri yapılır.
Verinin kullanımı, korunması, saklanması, provizyonu ve iletimi konuları için geliştirilmiş bir standart olan PCI-DSS; 6 ana kriter altında tanımlanan 12 temel maddeden oluşmaktadır:
A. Güvenli ve sürekli bir ağ alt yapısı kurmak1- Kart bilgilerini korumak için güvenlik duvarı konumlandırılması ve yapılandırılması2- Sistemde yer alan hiçbir yazılım ve donanımda öntanımlı parolanın kullanılmamasıB. Kart sahibinin bilgilerini korumak3- Kart bilgilerinin güvenli şekilde saklanması4- Genel ağlarda kart bilgilerinin şifreli olarak gönderilmesiC. Güvenlik açığı yönetimi oluşturmak5- Düzenli olarak güvenlik yazılımlarının güncellenmesi6- Güvenli sistem ve uygulama geliştirilmesi. Geliştirmenin süreklilik arz etmesiD. Etkin erişim kontrolü uygulamak7- İşletme tarafında kart bilgilerine erişim kısıtlamasının getirilmesi8- Her kullanıcının kendine ait bir kullanıcı hesabının olması ve oturumu bu kullanıcı hesabı ile açması9- Kart bilgilerine erişimin fiziksel olarak engellenmesi.E. Düzenli olarak izlemek ve test etmek10- Kart bilgilerine ve ağa gelen tüm erişimlerin izlenmesi11- Güvenlik sistemleri ve süreçlerin devamlı olarak test edilmesiF. Bilgi güvenliği politikası uygulamak12- Tüm personel için bilgi güvenliğini ilgilendiren sürdürülebilir bir politikanın uygulanması.
PCI DSS standartlarına uymakla mükellef olan işletmeler, PCI komitesi tarafından yetkilendirilmiş QSA’ler (Qualified Security Assessor) tarafından denetlenmek zorundadır. Ayrıca bu işletmeler, QSA firmaları tarafından yerinde araştırma hizmeti almalı, her üç ayda bir zafiyet ve ağ taraması yaparak PCI DSS uyum dorğulaması yapmak zorundadır. Eğer siz de PCI DSS uyumlu olmak istiyorsanız, bu konuda deneyim sahibi olan QSA’lerimiz PCI DSS denetiminizi gerçekleştirebilir.
PCI DSS Nedir? – Hassas Veri
Kısaca PCI DSS, yani “Payment Card Industry Data Security Standards” isminden de anlayabileceğimiz gibi “Ödeme Kartları Endüstrisi Veri Güvenliği Standartları” olarak dilimize çevirebiliriz. Şimdi bu uzun ismi biraz parçalara bölerek anlamaya çalışalım.
Ödeme Kartları, yaygın olarak iki çeşittir ve bunlardan ilk aklımıza gelen neredeyse bugün herkesin cüzdanında olan Kredi Kartlarıdır (hatta birden fazla bankadan ve neredeyse koleksiyoner olabileceğimiz kadar fazla bile diyebiliriz). Bunun yanında “Debit Card” olarak isimlendirilen ülkemizde para kart, tele kart, maaş kartı gibi isimlerle adlandırdığımız, bankadaki vadesiz hesaplarımıza erişimimizi sağlayan kartlardır.
Her ikisi de plastik bir kart üzerine basılmış;
- fiziksel (adımız, kart no, banka adı, görseller vb),
- manyetik (adımız, kart no, banka hesap no, müşteri no, CVV vb) ve
- şifreli chip (adımız, kart no, müşteri no, hesap no, pin, CVV vb)
gibi bilgileri ve alanları barındıran, kişi, kurum ve banka arasındaki güvenliğin Kimlik Doğrulama (Authentication) ve Yetki (Authorization) adımlarını kolaylaştırarak, sahibine esnek, konforlu bir kullanım ve ödeme aracı olmak için tasarlanmış bir üründür.
Endüstri, ödeme kartları ile iş kolu arasında direkt bir bağ bulunan, müşterilerine bunu bir hizmet olarak sunan ve gelir elde eden, kar amaçlı kurulmuş şirketler veya kurumlardır. Örnek olarak, American Express (AMEX), Master Card, Visa, Discover ve JCB gibi ödeme kartları markalarını verebiliriz.
Veri Güvenliği, aslında genel bir tanım ve özetle; verinin Gizlilik (Confidentiality), Bütünlük (Integrity) ve Erişilebilirlik (Availability) (C.I.A Triad) tasarımı ile korunmasını amaçlayan prensiptir.
Standart kelimesi de genel bir tanımdır, amacımıza ulaşmak için önceden tanımlanmış yol veya yöntemlerdir. Buradaki rolü de kendisinden önce gelen ve beş kelime ile amaçlanan (Ödeme Kartları Endüstrisi Veri Güvenliği) hedefine ulaşmak için yapılan tasarımdır. Standardın diğer faydaları da, ölçülebilir olması ve herkes için ortak bir dil oluşturmasıdır.
Küreselleşme, internetin yaygınlaşması, dijitalleşme ve bilgi toplumu olma dönüşümleri beraberinde bazı yan etkiler de doğurmuştur. Teknoloji çok hızlı ilerlemiş, günümüzün hızlı yaşam temposunda bunun nimetlerinden faydalanmak çoğu insan için can simidi olmuş, kolaylaştırma ve eğlence vadeden ürün ve hizmetler beraberlerinde birçok güvenlik riskini de beraberinde getirmiştir. Olgunluk seviyemiz teknolojinin hızına yetişememiş, maalesef birçok tecrübe denenerek ve yanılarak edinilmiş, birçok devlet, kurum, ticari şirket ve birey bu süreçte olumsuz etkilenmişlerdir.
1980’lerde Fortune 500 içinde olan birçok kurum dijital dönüşüme ayak uyduramadığı için rakipleri tarafından ezilip geçilmiş, tarihte birer kayıt olarak kalmış, listede kalanlar da yeni dijital dünyadaki risk ve tehditler ile mücadele etmek, savunmalarını güçlendirmek için yöntemler geliştirmeye başlamışlardır. Bilgi Güvenliği Riskleri, yaşanan bilgi güvenliği ihlal olayları neticesinde günümüzde kurumların risk listesinde kendisine sağlam bir yer edinmeyi başarmıştır.
Ödeme Kartları Güvenliği konusunda ilk inisiyatif alan kurum Visa’dır, 2000 yılında CISP (Cardholder Information Security Program) isimli programı Amerika’da başlatmıştır, 2001 yılında ise tüm ticari kurumlarına zorunluluk olarak getirmiştir. 2004 yılında Master Card ve Visa tarafından PCI DSS v1.0 ilk sürüm olarak yayınlanmış, 2006 yılında ise PCI SSC (Security Standard Council) Güvenlik Standartları Konseyi kurularak standardın bağımsız sektör profesyonelleri tarafından olgunlaştırılması için adım atılmıştır. PCI SSC tarafından standart günümüze kadar getirilmiş ve geliştirilmeye de devam etmektedir.
PCI DSS Tarihçesi
Bir sonraki yazımızda görüşmek üzere esen kalın.
1,261 total views, 2 views today
PCI DSS Compliance Frequently Asked Questions
PCI DSS is a fact of life for any organization that transmits, processes, or stores payment card data. But achieving and maintaining PCI compliance requirements can be challenging and time-consuming.
This list of frequently asked questions have been compiled from thousands of PCI engagements with organizations of all sizes and aims to provide answers to the many questions and situations that our clients have run into in the past when achieving and maintaining PCI compliance.
What is the Payment Card Industry Data Security Standard, or PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of industry standards designed to protect payment card data. Intended to create an additional level of protection for consumers and reduce the risk of data breaches involving personal cardholder data, the standards are comprised of 12 broad requirements and collectively, more than 200 line item requirements. The 12 broad requirements can be grouped into six key areas: building and maintaining a secure network; protecting cardholder data; maintaining a vulnerability management program; implementing strong access control measures; regularly monitor and testing networks; and maintaining an information security policy.
Any organization that transmits, stores or processes primary account numbers (PAN) is required to comply with the PCI DSS. In addition, where other cardholder data is stored, processed or transmitted with PAN it must also be protected. Cardholder data includes Primary Account Numbers (PAN), Cardholder name, Expiration Date and Service Codes. Another type of data, known as Sensitive Authentication Data (SAD), is also covered by PCI DSS, but generally the storage of SAD is prohibited. Compliance with the DSS requirements is mandatory, regardless of the size of the merchant or the number of card transactions they process each year. You may be required to complete PCI reporting documentation even if outsourcing your payment card processing to a third party.
What is the role of the PCI Security Standards Council?
The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the Council has more than 600 participating organizations that represent merchants, banks, processors and vendors worldwide. It is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements.
Enforcement of compliance with the PCI standards and determination of non-compliance penalties are carried out by the individual payment card brands.
Where can I find the list of PCI DSS requirements?
For more information on the PCI DSS requirements and updates, visit the PCI Council website. This website has useful information about the PCI Security Standards Council, the complete PCI DSS requirements for merchants, vendors and security consulting companies, and the Council's certification and merchant support services. It also has regular updates on changes to the PCI requirements and upcoming PCI Council events.
Are there any benefits to PCI DSS compliance?
By properly implementing the PCI DSS and achieving and maintaining compliance, merchants can improve their overall security posture and avoid costly fines and data breaches. They can be better prepared to prevent and detect a host of attacks against their information assets, both at the network and physical level. PCI compliance can improve operational efficiency by ensuring that policies are defined and procedures are documented so that employees know what they should be doing and how to do it. Controls, policies and procedures developed for PCI can be rolled out across the organization to spread the security benefits and reap the greatest return on investment from a PCI compliance project. While compliance does not equal security, the PCI standards can serve as a starting point and framework for organizations that wish to create a more secure environment and better protect their customers.
What kinds of organizations may be impacted by PCI DSS compliance standards?
Any organization that transmits, processes or stores payment card data - debit and credit cards included - must comply with the PCI standards. This includes financial institutions, such as banks, insurance companies, lending agencies and brokerage firms. It also includes all kinds of merchants, from medical and dental offices to pharmacies, hospitals, schools and universities, clothing stores, government agencies, cafes, restaurants, and ecommerce companies. It even affects individuals that accept payment cards for purchases, such as those at a farmer's market, food truck or crafts fair.
It also includes service providers such as transaction processors, payment gateways, customer call centers, web hosting providers and data centers, among others.
In addition to the requirements laid out in the PCI Data Security Standard (PCI DSS), the PCI Council has created programs specifically for software developers as well as hardware and device manufacturers, including the Payment Application Data Security Standard (PA-DSS) and the PIN Transaction Security (PTS) program.
Who enforces the PCI DSS requirements?
Although the PCI DSS requirements are developed and maintained by an industry standards body called the PCI Security Standards Council (SSC), the standards are enforced by the five payment card brands: Visa, MasterCard, American Express, JCB International and Discover. Each brand provides its own compliance guidelines, reporting and validation requirements, deadlines, brand-specific definitions and penalties for noncompliance. Please contact your merchant bank for its specific validation requirements and deadlines. Service providers should seek advice directly from the individual card brands.
Why is PCI DSS compliance important?
PCI DSS compliance is important for many reasons. Failure to comply with PCI requirements can lead to steep fines and penalties levied by the card brands, revocation of credit card payment services or even suspension of accounts. Security oversights can also leave merchants vulnerable to costly and damaging data breaches. Besides making headline news, data breaches can lead to lawsuits, remediation costs and irreparable damage to a merchant's reputation.
In addition to making headline news and increasing the risk of identity theft, data breaches and non-compliance can lead to significant fines and penalties. Fines can range from $2,000 to more than $100,000 per month for PCI compliance violations, plus additional fines for repeat violations, depending on the merchant’s acquiring bank. The banks typically pass such fines on to merchants.
If cardholder data is compromised, merchants may also be subject to fraud losses incurred from the use of the compromised account numbers, the cost of re-issuing cards associated with the compromise, and the cost of any additional fraud prevention or detection activities required by the card associations (i.e., a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e., additional monitoring of system for fraudulent activity). Although fines and penalties are not widely publicized, they can be catastrophic to a small business and cause a great deal of inconvenience and expense to larger organizations. Fines are usually based on number of card records stolen, and may vary depending on payment card brand. In short, if you suffer a breach, you won't like the consequences.
A payment processor that is liable for fines may choose to pass those on to their customers through a similar mechanism, such as higher transaction fees or service charges.
Do the PCI DSS compliance requirements apply to merchants outside the U.S.?
Yes, the PCI DSS requirements apply to all merchants, even those outside the U.S. The difference is that historically enforcement has been stricter in the U.S. As enforcement rates in the UK and Europe increase, and stricter laws around customer notification of data breaches are enacted by many countries, global PCI compliance rates are expected to increase accordingly. As part of the open standards development process, the PCI Council solicits input on the standards from its global stakeholders through a variety of avenues, including a formal feedback period.
Do the PCI DSS requirements apply to just large organizations?
No, the PCI requirements apply to all organizations that transmit, process or store data, including those that have a limited number of transactions. Although outsourcing some or all of your payment processes may simplify them and reduce what is in scope for PCI compliance, you cannot ignore it. You need to have policies and procedures in place to protect cardholder data when you get it, as well as when you process charge backs and refunds. Your payment card issuer may also require you to ensure that providers' applications and card payment terminals are PCI compliant. While the payment card issuers initially focused enforcement efforts on Level 1 merchants, they have increased enforcement for Level 2 through 4 merchants in the past few years.
What happens to a small business when they don't know enough about PCI DSS and suffer a breach?
It is important for small businesses to understand PCI compliance, not just to protect their customers, but to protect their business. Although many small businesses don't have security expertise or dedicated in-house resources, they must still comply with PCI standards. When a small business is compromised, it may immediately be treated as a Level 1 merchant by the payment card brands and thus subject to greater levels of examination and assessments, including hiring a QSA to conduct a PCI assessment and issuing a Report on Compliance (ROC). It may face increased fines from the payment brands or their acquirer, be required to submit to a detailed forensics investigation, and lose customer trust, any of which may put it out of business. Whether it is commercially sensitive information or intellectual property designs that criminals are after, any size of organization can be targeted. Smaller firms may also be targeted as a means to get to partners, such as larger companies that have a bigger store of financial details.
What are the PCI DSS compliance validation requirements for different merchant levels
In addition to meeting the security requirements of PCI DSS, merchants and service providers must also validate their compliance each year, as outlined in the table below. All merchants and service providers, regardless of where they are based, must submit a passing vulnerability scan performed by an Approved Scanning Vendor (ASV) regardless of their size or the number of credit card transactions they process each year.
Level 1 merchants (greater than 6 million transactions per year) and Level 1 service providers (greater than 300,000 transactions per year) must also undergo an annual onsite audit performed by a Qualified Security Assessor (QSA) or by an employee of the company who has gone through the PCI Internal Security Assessment Training Program.
Level 2, 3 and 4 merchants and service providers must complete a PCI Self-Assessment Questionnaire (SAQ) along with an Attestation of Compliance. Once completed, validation results and documented compliance controls must be submitted to the merchant's acquiring bank. It is important to note that requirements may vary depending on the payment card. For example, Level 2 merchants that accept MasterCard must have more rigor than just the SAQ self-assessment that applies to Levels 3 - 4. MasterCard specifies that as of June 30, 2012, Level 2 merchants that choose to complete an annual SAQ questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC ISA Training, and must pass the associated accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by an approved QSA rather than complete an annual self-assessment questionnaire.
It is also important to note that if a Level 2 - 4 merchant suffers a breach that results in a data compromise, they may be escalated to a Level 1 validation level. [Note: also see Visa's definition of merchant levels, which is largely determined by transaction volume. The MasterCard and American Express definitions of merchant levels are similar to Visa's.]
Table 1: Merchant and Service Provider Levels and Validation Requirements
Annual QSA Audit
Quarterly ASV Scan
6,000,000+ transactions per year or compromised in the past year
1 million to 6 million transactions per year
20,000 to 1 million e-commerce transactions per year
Less than 20,000 e-commerce transactions per year and all other merchants processing up to 1 million transactions per year
All VisaNet processors (member and nonmember), and all payment gateways
Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually
Any service provider that is not in Level 1 and stores, processes, or transmits less than 1,000,000 Visa accounts/transactions annually
How often is PCI DSS validation required?
Merchants must demonstrate compliance annually via a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC). Validation requirements vary depending on the number of transactions processed annually and the payment card brand. As with other regulations and guidelines, PCI DSS compliance cannot be achieved through technology alone. Compliance requires establishing and maintaining a PCI program that incorporates appropriate business policies, procedures and technologies to ensure ongoing compliance through continuous protection of payment card data.
If I use a third-party to process payments, or an ecommerce platform, do I still need to worry about PCI compliance?
Yes, you do. Although outsourcing some or all of your payment processes may reduce your risk of breach or what is in scope for PCI compliance, you cannot ignore it.
What kind of vulnerability scanning is required to validate compliance?
Merchants and Service Providers (and any other entity that requires PCI compliance) must perform quarterly internal and external vulnerability scanning. External vulnerability scans must be conducted by an Approved Scanning Vendor (ASV) and result in the production of a passing scan report showing no vulnerabilities are present. Internal scanning can be conducted by the entity themselves, but again, there must be a process to document at least quarterly that a scan has been conducted and any issues remediated, with re-scanning resulting in a "passing" internal scan. Internal and external scan reports will need to be retained as evidence for presentation to a QSA or other external assessment entity such as acquiring banks, card brands or forensic investigation teams.
Why engage SecureWorks to assist with PCI compliance?
Merchants typically find that working with SecureWorks helps them cut down on their overall costs and resources, and that they can complete a compliance assessment faster. We also help merchants make the most of what they already have in their security environment and existing PCI processes. For example, if you have a combination of firewalls and security devices from different vendors, we can help monitor and manage them, as well as help you make them more secure with modifications as needed. Our team of compliance professionals and consultants has an average of more than 10 years' experience in their areas of expertise. Not only are they expert in the complex regulatory requirements of various industries, but they are adept in helping organizations create short-term and long-term remediation plans to meet compliance requirements. They can also help reduce the overall costs of meeting compliance requirements. As a Managed Security Services customer, your organization will also enjoy unmetered guidance and support from our team of certified Security Analysts.
What kinds of services does SecureWorks offer for mid-size or smaller merchants?
SecureWorks offers services for merchants at almost all levels. Although we work with a number of enterprise and Level 1 merchants, we also work with regional retailers and other smaller merchants to help them address PCI DSS requirements. For example, there are some companies that only want a quarterly PCI network scan from an Approved Scanning Vendor (ASV), which we offer. Or they need help with monitoring and managing their firewalls. Sometimes customers wish to conduct their self-assessment questionnaire (SAQ) in house, but then realize they need help with remediation or guidance on how to reduce the scope of what's in consideration for PCI compliance, and we can assist with that as well.
What kinds of consulting services does SecureWorks offer for PCI compliance?
SecureWorks offers a full suite of consulting solutions to help merchants address PCI compliance. Each service builds on the work accomplished in the previous stage. These include Readiness Reviews, Gap Analyses, Mock Audits and Reports on Compliance (ROC) or assistance with Self-Assessment Questionnaires (SAQ).
What other products and services does Dell offer to help merchants with PCI compliance? How do SecureWorks services complement them?
Dell offers a full suite of hardware, appliances and software to help address all 12 aspects of PCI compliance, including SonicWALL firewalls, KACE appliances, endpoint solutions and others. SecureWorks complements these products by providing merchants with expert advice to help them develop a strategy for achieving compliance, as well as vendor-neutral managed services to help monitor and manage firewalls, IDS/IPS, log management systems, SIEM systems, quarterly PCI scanning, and all of the other controls mandated by PCI DSS.
Does SecureWorks provide PCI compliance services for PCI service providers?
Many of our Managed Security Services, such as log monitoring, firewall management and web application firewall management, may help service providers address PCI compliance concerns. We also offer Security & Risk Consulting to assist with PCI compliance Readiness Reviews, penetration testing and other security and compliance services. Please contact us for more details.
What are some of the practical challenges companies face when trying to maintain PCI compliance?
Organizations often assemble a team of people as a task force to meet initial compliance requirements, or pass a ROC or SAQ, but then disband it after certification. SecureWorks recommends ongoing attention and a standing team to review policies, procedures and everything else related to PCI compliance on a regular basis, not just once a year.
Another challenge is that companies may purchase new equipment or devices to meet certain PCI compliance requirements, but fail to monitor or manage them after they are set up, which effectively renders them useless against threats. Or organizations may create an employee policy document and never update it, even though there is frequent staff turnover. In other instances, organizations may get initial management buy-in to become compliant, but lack ongoing funding and budgets to properly maintain compliance.
What are some of the technical challenges companies face when trying to maintain PCI compliance?
Some of the most common technical challenges include network segmentation, data encryption, patch management and wireless networking security. Others include 24x7 log monitoring, firewall management and web application firewall management.
Is an annual ROC or SAQ all that is required to be PCI compliant? How can companies better maintain PCI compliance?
Although an annual Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) requires a significant investment of time and resources, it is merely a snapshot of a moment in time. It is not the same as ongoing compliance, which requires dedicated people, processes and technology. Any changes to the merchant environment can lead to non-compliance. There are several steps merchants can take to better meet their compliance obligations and ensure they have effective security controls. SecureWorks recommends embedding security controls into everyday processes, performing regular PCI health checks, and preparing for assessments with an organized plan.
If my organization is certified as PCI compliant, does it mean it is secure?
No, as many high-profile data breach cases have shown, companies that are certified as PCI compliant can still suffer data breaches and financial losses. PCI compliance alone won't protect corporate data and systems from costly, time-consuming data breaches and advanced threats. PCI compliance should be viewed as the baseline, not the end goal, for any organization. Annual validation of compliance means nothing without continual efforts to maintain that compliant state. A well-defined security program can help organizations not only meet and maintain PCI compliance, but also address new and emerging threats as well as innovations such as mobile, virtualization and other technology. Only by designing, implementing and maintaining effective security controls to meet PCI requirements can organizations gain security alongside compliance.
What do I need to consider regarding mobile devices and tablets for employees in a store environment, as it relates to PCI compliance?
One of the key things is to determine what the devices are going to be used for and whether or not they'll be used to process transactions or have any payment card data processed through them or stored on them. If so, they will fall into scope for PCI compliance. Even being on the same network as systems that store, process or transmit payment card data will bring these devices into scope. While the PCI guidelines might not have specific requirements yet for every aspect of mobile applications and devices, they are clear around keeping cardholder data protected, wherever it may be.
This is such a new area for many merchants that they aren't properly addressing security issues or updating their employee guidelines or policies to deal with them adequately. You can't take it for granted that employees will know what to do in a given situation or think about the ramifications of bringing their own devices into store or medical environments. Make them aware of the need for compliance and why it's important to customers and to the business.
I am new to PCI and have no idea where to start. What do you suggest?
If you're just getting started with PCI compliance, you can find a wealth of information on the PCI Council website. For more information, download the PCI Council's Getting Started Guide and Quick Reference Guide. To learn what your specific compliance requirements are, the PCI Council recommends you check with your card brand:
In addition, you may wish to join any number of PCI compliance-related discussion groups on LinkedIn or through other industry forums. We also suggest you take advantage of complimentary webcasts and other educational tools offered by SecureWorks.
Within your organization, we recommend that you form an internal PCI compliance team if there isn't one already, and begin organizing your PCI compliance efforts around the guidelines and processes published by the PCI Council. SecureWorks can also assist you via a Gap Analysis or other PCI consulting engagement.
What is PCI PFI?
The PCI Forensic Investigator (PFI) program was created to establish a standardized process for the forensic investigation and reporting of information security incidents involving cardholder information.
PCI DSS 3.2: What’s New?
You’ve announced today the release of version 3.2 of the PCI Data Security Standard. When should organizations implement these changes?
Troy Leach: Companies should adopt the standard as soon as possible to prevent, detect and respond to cyberattacks that can lead to payment data breaches. Version 3.1 will expire on 31 October 2016. However, all new requirements are best practices until 1 February, 2018 to allow organizations an opportunity to prepare to implement these changes.
You mentioned in a previous post that there are certain requirements being incorporated into the PCI DSS from the Designated Entities Supplemental Validation criteria. Can you elaborate?
Troy Leach: We’ve added the PCI DSS Supplemental Designated Entities Validation (DESV) criteria as an appendix to the standard, as well as expanded a few existing PCI DSS requirements (3, 10, 11, 12) to include DESV controls for service providers specifically.
Analysis of recent cardholder data breaches and PCI DSS compliance trends reveal that many organizations view PCI DSS compliance as an annual exercise and do not have processes in place to ensure that PCI DSS security controls are continuously enforced. The process of adhering to PCI DSS requirements is what is meant to be “PCI compliant.” The Report on Compliance (ROC) simply validates that the processes are in place and can evolve as an organization changes over the course of a year. These changes for service providers will provide greater assurance that the security will remain as expected for both the provider and their customers that rely on those services.
Why is it important for organizations to ensure security controls are in place following a change in their cardholder data environment (new requirement 6.4.6)? What type of change would trigger the need to re-evaluate an organization’s security controls?
Troy Leach: It is important to have a process to analyze how changes may impact the environment and the security controls that organizations rely on to protect cardholder data. Building this validation into change management processes helps ensure that device inventories and configuration standards are kept up to date, and security controls are applied where needed. It sounds simple but can easily be overlooked to have a new device added to a network by an individual unaware of security-relevant issues or even the responsibility to protect cardholder data. A change-management process helps provide supporting evidence that PCI DSS requirements are implemented or preserved through the iterative process and simplify future PCI DSS compliance responsibilities. Our hope is this requirement will eventually lead to better efficiency when reporting PCI DSS and security changes within an organization.
These changes also ensure organizations view security as an organic process that evolves with the company as an ongoing effort and not a yearly assessment to correct behavior.
New requirements 10.8 and 10.8.1 outline that service providers need to detect and report on failures of critical security control systems- why is this deemed necessary?
Troy Leach: Without formal processes to detect and alert to critical security control failures as soon as possible, the window of time grows that allows attackers to identify a way to compromise the systems and steal sensitive data from the cardholder data environment.
While this is a new requirement only for service providers, we encourage all organizations to evaluate the merit of this control for their unique environment and adopt as good security hygiene.
New requirement 22.214.171.124 indicates that service providers need to perform penetration testing on segmentation controls every six months. How often were penetration tests required before this change was implemented? Why is this an important change?
Troy Leach: Previously in the PCI DSS, it was required at least annually for all entities to demonstrate that their segmented environment was truly isolated. The difference is that service providers must demonstrate this now every six months. However, validating the effectiveness of segmentation should be performed as frequently as possible to ensure PCI DSS scope remains up to date and aligned with changing business objectives.
This is one of the most important controls to assure the proper focus of PCI DSS controls. With this change, we emphasize that importance with more frequency of testing to confirm security controls are in place and working.
There is a new requirement (12.4.1) for executive management of service providers to establish responsibilities and a PCI DSS compliance program. How should an organization go about implementing such a program and why is this important?
Troy Leach: Organizations where executive management are involved in strategic development of payment card security will be able to respond to changes and ask appropriate questions to determine the effectiveness of the program and influence strategic priorities. Overall responsibility for the PCI DSS compliance program may be assigned to individual roles and/or to business units within the organization, but the executive visibility is critical for service providers where protecting cardholder data is central to their business.
What can you tell us about the change that necessitates the use of multi-factor authentication?
Troy Leach: Multi-factor authentication requires two or more technologies to authorize a person’s access to card data and systems. Examples of factors include something you know, such as a password or passphrase; something you have, such as a token or smart card; or something you are, such as a biometric. Multi-factor authentication is already a requirement in the PCI DSS for remote access. The significant change in PCI DSS 3.2 adds multi-factor authentication as a requirement for any personnel with non-console administrative access to the systems handling card data, so that a password alone is not enough to verify the user’s identity and grant access to sensitive information.
Requirement 12.11 and 12.11.1 asks that service providers perform quarterly reviews to confirm that personnel are following security policies and operational procedures. How should organizations implement these reviews?
Troy Leach: This requirement encourages organizations to reaffirm that those individuals the company relies upon understand the importance of the process and continue to follow the procedures beyond the week the assessor comes to town. Again, the theme of several PCI DSS changes is to demonstrate the processes to protect are operating as expected. These reviews can also be used to verify that appropriate evidence is being maintained—for example, audit logs, vulnerability scan reports, firewall reviews, etc.—to assist the entity’s preparation for its next PCI DSS assessment.
Another change being introduced relates to primary account number (PAN) masking. Can you explain what this change entails?
Troy Leach: We’ve updated PCI DSS requirement 3.3 to ensure that only the minimum number of digits are displayed as necessary to perform a specific business function. The requirement continues to use the example of first six, last four digits. This update also provides flexibility, such as for varying BIN (Bank Identification Number) routing and aligns with recent considerations to other industry standards.