Mikael Grondahl

Payment Card Industry Data Security Standard – A safety feature we all benefit from…

A few months ago, I received a call from American Express…

“Mr. Grondahl, this is Jennifer from American Express, you wouldn’t happen to be in Kuala Lumpur, Malaysia, would you? We believe someone is using your credit card there right now” 

“Thank you for your call Jennifer, I wish I was in Kuala Lumpur, but unfortunately no, I’m not”

“OK, that’s what we suspected, so we already put a hold on your credit card”

“The charges made to the card will be revoked, and we will send you a new card within 2 business days”

These guys stay on top of it for sure, got to love them for that. I’ve even received a phone call from a credit card company when trying to use my card at a gas station about 4 hours north from where I live, the neighborhood that I had to stop in was not in the best area of town, but I was pretty much flying on fumes, so not a whole lot of options there. Also, didn’t want to risk being late for my Iron Maiden concert…

So how is it that some shady people get a hold of, and try to use your credit card information?

Well, let’s face it, quite a few people have severely broken moral compasses, and can’t really distinguish between what is yours, and what is theirs, that’s just the sad reality of it.

What we shouldn’t have to accept though is that some companies and businesses do not do everything in their power to make sure our sensitive information is protected, and doesn’t get compromised, preventing some lowlifes from trying to steal our hard-earned money.

Hence, there’s this beautiful regulation trying to prevent just that from happening – Payment Card Industry Data Security Standard (PCI DSS)

So, in a nutshell, if you run a business, chance’s that you wouldn’t accept and process credit cards, and store credit card details are slim right? Unless you live in a very rural area of the world and only trade in livestock, “Hey, I’ll trade you two of my one-legged roosters for that sack of potatoes”, but that’s not too common these days… Haven’t seen it in months as a matter of fact.

If the above livestock trading scenario doesn’t apply to you, you are most likely subject to PCI DSS compliance regulations. It doesn’t really matter what type of organization you are, or what business you operate, it applies to all different kinds, from the company renting paddleboards on the beach, to the online business selling health insurance, anyone that you share your credit card information with.

Since the merchant who was the target of the “phony” credit card transaction attempt in Kuala Lumpur, regardless if it was in the store or online, most likely was following PCI DSS regulations, American Express was alerted that something “fishy” was going on, and they in turn stopped all transactions and notified me about the event, saving me some serious headache.

With new rules and standards like the contactless EMV chip cards, most credit cards are safe and getting even more secure, so it’s important that the merchants maintain PCI compliance to protect and defend themselves against data breaches, preventing hackers from getting their filthy hands on our sensitive cardholder information, stealing our identities and impersonating us cardholders.

So, with that said, let’s scratch the surface a little bit to uncover the basics of PCI DSS…

A brief overview of the Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

So essentially, it sets the requirements for organizations and sellers to safely and securely accept, store, process, and transmit cardholder data during credit card transactions to prevent fraud and data breaches.

The history of the Payment Card Industry Data Security Standard
Five different programs: Visa‘s Cardholder Information Security Program, MasterCard‘s Site Data Protection, American Express‘s Data Security Operating Policy, Discover‘s Information Security and Compliance, and the JCB‘s Data Security Program were started by card companies.

The intentions of each were roughly similar: to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data.

The Payment Card Industry Security Standards Council (PCI SSC) was then formed and these companies aligned their individual policies to create the PCI DSS (2004).  (Source: Wikipedia)

The reason behind this was that businesses of all shapes and sizes transitioned from traditional payment processing, to online payment processing, and their customers started using their credit cards more frequently for online and offline transactions.

Networks and payment systems back then were not as secure as they are today, credit card information was exposed and more available to the technically inclined thieves and scammers out there, and due to increasing data theft and fraud, the five largest credit card companies implemented the Payment Card Industry Data Security Standard (PCI DSS) to prevent costly consumer and bank data breaches.

The credit card companies made PCI compliance a self-regulated mandate, meaning that the sellers and organizations are the ones liable and responsible for maintaining compliance for all parts of the payment processing life cycle, not the credit card companies.

Enhancements of PCI Security Standards and training of security professionals are some of the responsibilities of the PCI Security Standards Council, this is done through establishing and setting minimum requirements and standards for merchants to follow, the credit card companies are responsible for enforcing them among sellers and organizations that accept their credit cards.

What’s required of my business to be PCI DSS compliant?
If you want to be able to use the credit card companies’ services, you need to be compliant with PCI regulations, and you need to meet the DSS standards (Data Security Standard).

The Data Security Standard (DSS) are governed and determined by the Security Standards Council (SSC).

PCI DSS comprises a minimum set of requirements for protecting account data and may be enhanced by additional controls and practices to further mitigate risks, as well as local, regional and sector laws and regulations.

Additionally, legislation or regulatory requirements may require specific protection of personal information or other data elements (for example, cardholder name).

PCI DSS does not supersede local or regional laws, government regulations, or other legal requirements.

The PCI DSS standards are grouped into 12 categories, and below is a high-level overview of the requirements.

  • Install and maintain a firewall configuration to protect cardholder data.
  • Do not use vendor-supplied defaults for system passwords and other security parameters.
  • Protect stored cardholder data.
  • Encrypt transmission of cardholder data across open, public networks.
  • Protect all systems against malware and regularly update anti-virus software or programs.
  • Develop and maintain secure systems and applications.
  • Restrict access to cardholder data by business need-to-know.
  • Identify and authenticate access to system components.
  • Restrict physical access to cardholder data.
  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.
  • Maintain a policy that addresses information security for all personnel.

If your business does not comply with and maintain these standards on at least a quarterly basis, you could be at risk for data breaches, fines, card replacement costs, costly forensic audits and investigations into your business, brand damage, and more.

The 4 different PCI Compliance Levels
There are 4 different PCI DSS compliance levels, each level has unique requirements for businesses to validate its compliance, based on annual number of transactions, and how electronic payment data is processed.

Businesses are required to undergo Approved Scanning Vendor (ASV) or Qualified Security Assessors (QSA) assessments to gauge how secure they are compared to PCI DSS standards. And you are required to sign off on the results, submit them, and remediate any pending findings in a timely fashion.

Level 1:

  • Sellers that process over 6M transactions per year
  • Any merchant that has had a data breach or attack that resulted in an account data compromise
  • Any merchant identified by any card association as Level 1

PCI Requirements:

  • Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)—also commonly known as a Level 1 onsite assessment—or internal auditor if signed by an officer of the company
  • Quarterly network scan by Approved Scan Vendor (ASV)
  • Attestation of Compliance form
  • Complete the PCI DSS Self-Assessment Questionnaire according to the instructions it contains
  • Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV)

Level 2:

  • Sellers that process 1 M to 6M transactions per year

PCI Requirements:

  • Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool)
  • Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer
  • Complete the PCI DSS Self-Assessment Questionnaire according to the instructions it contains
  • Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV)

Level 3:

1)    Sellers that process 20,000 to 1M e-commerce transactions per yearPCI Requirements:

  • Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool)
  • Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer
  • Complete the PCI DSS Self-Assessment Questionnaire according to the instructions it contains
  • Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV)

Level 4:

  • Sellers that process fewer than 20,000 e-commerce transactions and all other sellers that process up to 1M transactions per year

PCI Requirements:

  • Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool)
  • Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer
  • Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV)

Explanation of assessments:

Approved Scanning Vendors (ASV)
An ASV is an organization with a set of security services and tools (“ASV scan solution”) to conduct external vulnerability scanning services to validate adherence with the external scanning requirements of PCI DSS Requirement 11.2.2. The scanning vendor’s ASV scan solution is tested and approved by PCI SSC before an ASV is added to PCI SSC’s List of Approved Scanning Vendors.

Qualified Security Assessors (QSA)
Qualified Security Assessor (QSA) companies are independent security organizations that have been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS. QSA Employees are individuals who are employed by a QSA Company and have satisfied and continue to satisfy all QSA Requirements.

Self-Assessment Questionnaire (SAQ)
The PCI DSS Self-Assessment Questionnaire is a checklist, created and distributed by the PCI Security Standards Council. It’s used as a mechanism for sellers to self-validate their PCI DSS compliance.

PCI DSS compliance Best Practices, in our humble opinion…
The PCI DSS standards are grouped into 12 categories, with several subcategories, and we believe, that to be able to proficiently supervise and maintain PCI DSS compliance, being able to produce and present audit reports at any given time, we recommend that organizations use a tool like Cygna Auditor, Netwrix Auditor, or BeyondTrust Powerbroker.

Stay compliant & protected folks…