PCI Compliance Information from a PCI QSA

PCI Compliance Wiki









PCI Compliance Wiki


Place to Get information on PCI Compliance


For those new to PCI Compliance (either a new QSA or other interested party) I have put together a general PCI Compliance Wiki to quickly cover the basis of PCI Compliance.






 PCI DSS Standards Overview
PCI DSS security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council (PCI SSC) to protect credit card data.  The standard is divided into 12 requirements outlining different aspects of security best practices, all to have better credit card security.

History of PCI DSS –
Prior to 2004 each card brand (i.e., Visa/MasterCard, etc) had their own security program that merchants were expect to follow.   There was no standardization across card companies on credit card security requirements.  It was difficult for merchants to become familiar with and adhere to competing standards from VISA, MasterCard, and others as fraud losses increased, the card industry realized the need for consistent and well defined security standards.  So in 2004 Visa and MasterCard joined together to form a single approach to safeguarding sensitive data for all card brands and soon all the major credit card brands joined, forming a single security standard that all credit card merchants could follow.  They formed an independent council (PCI SSC) to manage this program.

Who has to Comply with PCI?
All merchants and service providers who store, transmit, or process credit cards must comply with all requirements. Just because no one has asked you to proof compliance does not mean that you are not required to be compliant.  PCI Compliance deadlines have past and all merchants and service providers are expected to be compliant TODAY!

PCI Compliance Levels (For Reporting)
Each card brand has outlined various reporting levels based on volume of credit card transactions.  There is a lot of confusion around this.  To be clear, all merchant and service providers much comply with ALL PCI requirements regardless of size, complexity, or volume of credit card transactions.  The only difference between Walmart’s PCI Compliance and Joe Snack shop is how compliance is Validated / REPORTED.  The greater the volume of transactions (which would mean greater risk) the higher degree of proof a company has to show that they are PCI compliant. PCI Compliance Levels is a widely confused term and should be considered only as a why to determine how you report compliance. Each card brand has their own formula here are the major ones:
Compliance Tier/ Level Merchant Criteria Validation/Reporting Requirement 
 1 Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region 2
  • Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) or Internal Auditor if signed by officer of the company
  • Quarterly network scan by Approved Scan Vendor (“ASV”)
 2 Merchants processing 1 million to 6 million Visa transactions annually (all channels)
  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
 3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
 4Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.
  • Annual SAQ recommended
  • Quarterly network scan by ASV if applicable
  • Compliance validation requirements set by merchant bank
MasterCard Merchant Levels (from MasterCard’s Website as of Aug 2014)
Compliance Tier/  LevelMerchant Criteria Validation/Reporting Requirement
 1
  • Any merchant that has suffered a hack or an attack that resulted in an account data compromise
  • Any merchant having more than six million total combined MasterCard and Maestro transactions annually
  • Any merchant meeting the Level 1 criteria of Visa
  • Any merchant that MasterCard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system
  • Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) or Internal Auditor if signed by officer of the company
  • Quarterly network scan by Approved Scan Vendor (“ASV”)
  • Attestation of Compliance Form
 2
  • Any merchant with more than one million but less than or equal to six million total combined MasterCard and Maestro transactions annually
  • Any merchant meeting the Level 2 criteria of Visa
  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Onsite Assessment at Merchant Discretion
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
 3
  • Any merchant with more than 20,000 combined MasterCard and Maestro e-commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro e-commerce transactions annually
  • Any merchant meeting the Level 3 criteria of Visa
  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
 4
  • All other merchants
  • Annual Self-Assessment
  • Quarterly Network Scan conducted by an ASV2


PCI Compliance Fines
Coming Soon!

PCI DSS Scope —This is a question a lot of QSAs answer at the beginning of engagements.   The answer is impossible to state generically, but here is some basic information for a merchant or service provider.  First, PCI applies to all entities that are involved in payment card processing, this includes the merchant, a service provider, and even financial institutions.   The simplest definition of what data/systems apply to PCI DSS is this “The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data.” System components include network devices, servers, computing devices, and applications.

Segment Systems to Limit Scope –
The phrase that gets most businesses worried  in scoping their PCI compliance efforts is the “Connected to the cardholder data environment” (see PCI DSS Scope Above). The phrase means that if you have systems, say your corporate marketing servers that have connectivity to your point of sale terminals, they are in scope for PCI. We are talking network based connectivity, not authentication.  If you are on your marketing server and you can connect to your POS systems (regardless if you have the POS password) they are connected.   So, in most organizations with a flat network all systems would fall under the rules of PCI.  What the PCI Council has done is allowed for network segmentation to be put in place to help limit the scope of PCI.  For example, if your POS systems are isolated from the corporate office with a firewall with strong rules in place then it is most likely that you can exclude the corporate systems from scope, thus reducing the effort in becoming/maintaining PCI compliance. See my full post on Segmentation to limit scope.

What is a Compensating Control? –
PCI is a pass or fail assessment (unfortunately) so a single non-compliant finding would make a business “non-compliant”– which no one wants to say.  The PCI Council has recognized that in certain circumstances one or more of the specific PCI requirement may not be able to be met.  If a business has a legitimate business/technical reason that they cannot apply the original PCI requirement they may identify a “compensating control” that takes the place of the original control, thus allow that control to “pass”.  There are rules around what can be considered a compensating control including the control has to go above and beyond the original controls intent.
-
Difference in a QSA and ASV?
QSA stands for Qualified Security Assessor, these are companies that have been vetted and approved to conduct PCI Audits, think of them as “PCI experts”.  ASV stands for Approved Scan Vendor, these companies are the ones who are approved to run external vulnerability scans as part of showing proof that a company is compliant.  All merchants and service providers are required to use an ASV to conduct external vulnerability scans.  Only the largest merchants are required to hire an ASV to proof compliance.
PCI Compliance Wiki PCI Compliance Wiki Reviewed by Stewart Fey on 11:01:00 AM Rating: 5