PCI Compliance
Organizations that store, process or transmit credit card data must comply with the Payment Card Industry Data Security Standard. Get the information you need to comply.
What is PCI?
The Payment Card Industry (PCI) represents a crucial segment of the financial sector, dedicated to managing and securing electronic payments encompassing debit, credit, ATM, POS, prepaid, and e-purse systems. In an era where digital transactions are ubiquitous, safeguarding sensitive financial data during its transmission globally is paramount. This necessity underscores the role of stringent security measures to protect all participants in non-cash payment transactions.
To create these standards, the major financial corporations developed the PCI-SSC (Payment Card Industry Security Standards Council). This body functions independently from the financial institutions themselves, focusing solely on enhancing security throughout the payment card industry. The PCI SSC is instrumental in protecting cardholders by developing and enforcing comprehensive security standards that all merchants and payment-processing vendors must adhere to.
What is PCI DSS?
Credit and debit cards fuel global commerce. Unfortunately, they are also a lucrative target for fraudsters. To protect cardholder data, merchants and vendors must adhere to the Payment Card Industry Data Security Standard (PCI DSS), which establishes a baseline level of security for organizations that store, process, or transmit payment card data
The PCI DSS has grown significantly in stature and coverage since its early beginnings. PCI DSS requirements are robust and comprehensive. Organizations that invest the time and effort to comply with them will be more secure and protected from cybersecurity threats.
The latest update in these security measures is the PCI DSS version 4.0. This iteration represents a significant evolution in the standards, designed to address the complexities of modern payment environments and the sophisticated nature of current cyber threats. PCI DSS 4.0 not only reinforces the need for robust security protocols but also introduces greater flexibility in how these requirements can be met. This flexibility allows businesses to implement security measures that are most effective for their specific operational environments while still maintaining rigorous security standards.
The introduction of PCI DSS 4.0 is set to have a profound impact on how businesses manage payment security. By allowing more customized implementation of its standards, PCI DSS 4.0 enables businesses to be more innovative in their approach to securing card data. Moreover, it ensures that the security measures are not only about compliance but are genuinely effective in protecting sensitive information in an increasingly digital world.
This strategic update aims to ensure that the protective measures evolve in step with the fast-paced advancements in technology and payment methodologies, thereby sustaining the integrity and trust in the global payment ecosystem.
Who Must Comply with PCI DSS?
The designation "standard" in the Payment Card Industry Data Security Standard (PCI DSS) might initially suggest that it is merely a recommendation. However, in practice, adherence to PCI DSS is mandatory for businesses managing card payments.
PCI DSS is as good as a regulation. Failure to comply with PCI DSS means that these companies will not permit you to manage their payment cards. Furthermore, non-compliance can lead to significant fines. So, unless you are planning to run a “cash only” business, the PCI Data Security Standard is not optional. It acts as a de facto regulation, ensuring that all merchants meet minimum levels of security for payment processing to protect cardholder data against theft and fraud.
With the release of PCI DSS 4.0, the standards have been updated to address the evolving needs of the security landscape, making compliance an ongoing process that incorporates the latest security measures to combat emerging threats effectively. The updated version underscores the importance of adaptive and continuous security practices that align with technological advancements and changing cyber threat tactics.
At a Glance, What are the PCI Compliance Requirements?
See the table below to understand your organization’s requirements:
PCI compliance requirements are built around six “control objectives,” and each of these objectives has sub-requirements that organizations must follow. A total of 12 compliance sub-requirements fit into the six control objectives. Here’s a summary:
Control Objectives
PCI DSS Requirements
Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
- Protect stored data.
- Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
Implement Strong Access Control Measures
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
Maintain an Information Security Policy
- Maintain a policy that addresses information security.
A Deeper Look at the PCI Compliance Requirements
Here’s a bit more explanation about each requirement:
Below is a more detailed explanation of each requirement under the PCI DSS 4.0 framework.
- Firewall Implementation for Data Protection: Employ firewalls to shield cardholder data by blocking unauthorized inbound and outbound network traffic from untrusted networks. Firewalls function as a first line of defense in preventing external threats.
- Secure Configurations: Change vendor-supplied default passwords and other security settings, which are often known and can be easily exploited by cybercriminals.
- Encryption of Stored Data: Protect cardholder data at rest using strong encryption, cryptographic hashing, or other methods aligned with industry best practices. This ensures that data is unreadable and secure from unauthorized access.
- Encryption of Transmitted Data: Safeguard cardholder data in transit over open or public networks using strong encryption protocols, trusted keys, and digital certificates to prevent interception by malicious actors.
- Anti-Malware Defenses: Deploy anti-virus and anti-malware solutions across all systems that interact with or manage cardholder data. Keep these systems up to date with the latest security patches and virus definitions to combat new threats.
- Vulnerability Management: Establish a systematic process to identify and assess vulnerabilities in systems and applications, enabling timely remediation to mitigate risks effectively.
- Access Control Measures: Enforce strict access controls based on the principle of least privilege and need-to-know basis to minimize potential exposure of sensitive data.
- Unique User Identification: Assign a unique ID to every individual with system access, ensuring that all user actions can be uniquely traced and audited, enhancing accountability and traceability.
- Physical Access Controls: Implement stringent physical security measures, such as electronic access controls and surveillance, to restrict physical access to cardholder data and related systems.
- Logging and Monitoring: Develop mechanisms for logging and monitoring all access to network resources and cardholder data. This practice helps in detecting and responding to security incidents in a timely manner.
- Regular Security Testing: Conduct annual penetration testing and regular vulnerability scans (at least quarterly) of the cardholder data environment to identify and remediate security weaknesses.
- Security Policy Management: Formulate and maintain a comprehensive data security policy that addresses the specific security needs of the organization. Review and update this policy annually or after significant changes in the environment or operations.
How Does Transaction Volume Impact PCI DSS Compliance?
The PCI compliance requirements that apply to organizations depend on how many credit, debit, and pre-paid card transactions they process each year. The more transactions, the higher the level of required compliance and compliance validation.
For example, an organization that processes more than 6 million transactions per year will be required to hire a PCI Qualified Security Assessor (PCI QSA) to conduct an audit every year. The PCI QSA will audit to ensure the required security controls are in place. If they are, the PCI QSA will issue a Report on Compliance (ROC) that certifies the organization’s security posture.
Organizations that process fewer transactions can skip the audit but must perform quarterly network scans to look for signs of trouble. They are permitted to fill out a Self-Assessment Questionnaire (SAQ) where they attest to their own compliance with the required secured controls.
At a Glance, What are the PCI Transaction Levels?
The PCI compliance requirements that apply to organizations depend on how many credit, debit, and pre-paid card transactions they process each year. The more transactions, the higher the level of required compliance and compliance validation. The criteria for defining the levels of compliance and the required validation efforts remain centered on the number of credit, debit, and prepaid card transactions processed by an organization each year. For example, an organization that processes more than 6 million transactions per year will be required to hire a specially trained assessor (PCI QSA) to conduct an audit every year. Organizations that process fewer transactions can skip the audit but must perform quarterly network scans to look for signs of trouble. Here are the transaction levels and what organizations are required to do at each level:
For example, an organization that processes more than 6 million transactions per year will be required to hire a specially trained assessor (PCI QSA) to conduct an audit every year. Organizations that process fewer transactions can skip the audit but must perform quarterly network scans to look for signs of trouble.
LEVEL 1 Transactions Per Year > 6 Million
PCI Qualified Security Assessor (PCI QSA) must perform annual audit
Must complete annual Report on Compliance (ROC)
Must perform quarterly network scans via PCI Approved Scanning Vendor (PCI ASV)
Must complete the Attestation on Compliance (AOC) form
LEVEL 2 Transactions Per Year 1 Million – 6 Million
Complete Self-Assessment Questionnaire (SAQ)
Perform quarterly network scans via PCI Approved Scanning Vendor (PCI ASV)
Complete the Attestation of Compliance (AOC) form
LEVEL 3 Transactions Per Year 20,000 – 1 Million
Complete Self-Assessment Questionnaire (SAQ)
Perform quarterly network scans via PCI Approved Scanning Vendor (PCI ASV)
Complete the Attestation of Compliance (AOC) form
LEVEL 4 Transactions Per Year < 20,000
Must complete Self-Assessment Questionnaire (SAQ)
Must perform quarterly network scans via PCI Approved Scanning Vendor (PCI ASV)
Must complete the Attestation of Compliance (AOC) form
What are the Critical Components of PCI DSS Compliance?
PCI DSS compliance can seem overwhelming because of the number of requirements and the many acronyms used in the compliance process. Here’s a jargon-free understanding of key terms.
-
Annual Audit
If you are at PCI compliance level 1, you need to have an independent, third-party audit performed by a PCI certified Qualified Security Assessor (PCI QSA). This is a highly technical and specialized audit where the auditor performs configuration-level cybersecurity assessments of your technical infrastructure. The PCI Council website has a list of approved PCI QSA companies that can be searched by place of business, countries served, and other such criteria.
Under the updated PCI DSS 4.0 standards, the scope of these audits includes a detailed evaluation of your organization’s adherence to the newly refined and flexible guidelines that are designed to address modern cybersecurity challenges. The audit involves a thorough review of your technical setups, including system configurations and security implementations, to ensure that all aspects of your operations comply with PCI DSS requirements.
These annual audits are crucial not only for verifying compliance but also for identifying potential areas of improvement in your security posture, thus ensuring that your data protection strategies evolve in line with both technological advancements and emerging security threats as emphasized in PCI DSS 4.0.
-
Quarterly Network Scans
Under the PCI DSS standards, it is required for organizations of all PCI compliance levels to conduct quarterly network scans. These scans are critical for identifying vulnerabilities within your network that could potentially be exploited by cyber threats.
To ensure comprehensive and reliable scanning, these quarterly vulnerability assessments must be performed by a PCI certified Approved Scanning Vendor (PCI ASV). PCI ASVs are specialized vendors that have been certified by the PCI Security Standards Council to conduct network scans that adhere to the stringent requirements set out by PCI DSS.
The PCI Security Standards Council maintains a list of approved PCI ASVs, which can be accessed through its website. This list allows organizations to find certified vendors that can perform the required quarterly scans, ensuring that all network vulnerabilities are identified and addressed promptly in accordance with PCI DSS 4.0 standards.
-
Self-Assessment Questionnaire
An organization at a PCI compliance level of 2 or below must complete a Self-Assessment Questionnaire (SAQ). As the name suggests, the SAQ is a self-assessment tool filled out by the merchant.
There are different SAQ’s for different environments, and you must select the one that applies to your organization. The SAQ essentially consists of yes/no questions that correspond to each of the PCI compliance requirements. When you select “no” as an answer for any of the requirements, you may need to describe in detail remediation steps and associated timelines.
-
Report on Compliance
A Report on Compliance (ROC) is filled out by a PCI QSA after completion of an organization’s annual PCI compliance audit. The ROC contains detailed audit findings and can run hundreds of pages.
It is submitted to the merchant’s acquirer (a bank or financial institution that processes payments on behalf of a merchant). The acquirer, in turn, accepts the ROC and then sends it for verification to the payment brand(s). This report is crucial as it not only assesses compliance but also outlines areas where security practices may need to be enhanced to meet the evolving standards and threats within the industry.
-
Attestation of Compliance
The Attestation of Compliance (AOC) is a form that attests to the results of a PCI compliance assessment. The AOC is typically completed by a PCI QSA and can be used by merchants and service providers to show customers and stakeholders proof of compliance.
The AOC under PCI DSS 4.0 not only serves as a testament to achieving baseline compliance but also underscores the organization's continuous effort to safeguard sensitive payment information against emerging security threats. This document is crucial for establishing trust with payment partners, financial institutions, and customers, showcasing a proactive approach to cybersecurity.
-
Special Situations
There can be exceptions to the PCI compliance levels. One notable scenario is when a merchant experiences a security breach that compromises payment card data. Regardless of the previous compliance level, such an incident elevates the organization to PCI compliance Level 1 — the most stringent level. This means that even a merchant initially categorized under PCI compliance Level 4 would need to meet the rigorous requirements reserved for Level 1 in the aftermath of a breach.
This adjustment underscores the importance of robust security measures and the PCI DSS 4.0's emphasis on adaptive security strategies that respond to changing risks and actual incidents. In the event of a breach, the elevated compliance requirements aim to significantly tighten security protocols and mitigate the risk of future breaches.
If your organization finds itself in a unique situation or facing unusual circumstances that might affect its compliance categorization or requirements, it is crucial to consult with a PCI Qualified Security Assessor (PCI QSA). A PCI QSA can provide expert guidance tailored to your specific scenario, helping to clarify your compliance obligations under PCI DSS 4.0. Engaging with a QSA ensures that your path to compliance is both clear and customized to your organization's needs, allowing you to navigate the complexities of PCI standards effectively.
How to Select a PCI QSA Company
A Payment Card Industry Qualified Security Assessor (PCI QSA) company must perform the annual PCI compliance audit. A PCI QSA is certified by the PCI Security Standards Council to audit merchants for PCI DSS compliance. Its employees are also called PCI QSAs, and they must undergo annual training and re-certification to be able to conduct audits. The PCI Security Standards Council maintains a list of all the individuals and companies that have successfully completed training and certification as a PCI QSA.
While the PCI compliance audit typically applies to PCI level 1 compliance entities, organizations that need to complete a self-assessment questionnaire (SAQ) can also greatly benefit from the expertise of a PCI QSA company.
Regardless of PCI compliance level, a good PCI QSA company can help all organizations understand compliance requirements in the light of business and operational goals and provide invaluable guidance.
Here are some tips to select the right PCI QSA company for your organization:
Background Research
Research the PCI QSA company thoroughly – number of years of experience, past and current clients, industry experience, technical certifications, client references, and so on. A PCI QSA’s experience in the same industry as yours is important since each industry has unique challenges, technical environments, and operational realities.
Approach
Understand beforehand how the PCI QSA company approaches the audit process. A collaborative approach works best. The PCI QSA should gain an in-depth understanding of your business - its strengths and its eccentricities. That way, the PCI QSA can view the PCI compliance requirements in the context of your business and operational environment.
Scoping
The PCI Security Standards Council makes it a PCI QSA’s responsibility to confirm the scope of a PCI compliance audit. A good PCI QSA will look for opportunities to reduce the complexity of the compliance scope to save time, money, and resources.
The updated guidelines in PCI DSS 4.0 place a strong emphasis on precision in scoping to not only streamline compliance efforts but also to ensure that these efforts are focused and effective.
Proper scoping helps organizations target their security measures more accurately, which is essential for protecting cardholder data effectively while optimizing operational and financial efficiency. Engaging with a knowledgeable PCI QSA who can accurately define and potentially reduce the audit scope is invaluable in navigating the complexities of PCI DSS 4.0 compliance.
Post-Audit Assistance
After an audit, you may be left with a full plate of remediation items to address within short timeframes. A good PCI QSA will provide clients with post-audit assistance and answer specific remediation questions that may arise.
It’s Time to Fill Out Your SAQ. Which Type Applies?
A
Applicable to card-not-present merchants (mail/telephone-order or e-commerce) who have completely outsourced all cardholder data processing to a third-party vendor and do not store, process or transmit any cardholder data on their systems or premises. In this case, the third-party vendor needs to be PCI DSS compliant.
A-EP
Applicable to all e-commerce merchants who partially outsource all payment processing to a PCI DSS compliant
B
Applicable to merchants who do not store any electronic cardholder data and process payments either via standalone
B-IP
Applicable to merchants who process online payments using only standalone , PTS-approved payment terminals
C
Applicable to merchants with payment application systems connected to the Internet and no electronic cardholder data storage.
C-VT
Applicable to merchants who externally host a web payment application hosted by a PCI DSS validated third-party service provider. These types of merchants use a virtual payment terminal solution with no electronic cardholder data storage.
P2PE
Applicable to merchants who process card data only via payment terminals included in a validated and PCI SSC-listed Point-to-Point Encryption (P2PE) solution. No electronic cardholder data storage.
D
Applicable to all merchants not included in descriptions for the above SAQ types. Applicable to all service providers defined by a payment brand as eligible to complete an SAQ.
What is a PCI Compliance Scan?
Regardless of your PCI compliance level, your organization must undergo a quarterly PCI compliance scan to identify cybersecurity threats in your systems and network. Insights from the scan can be used to enhance protection of the cardholder data environment (CDE) against malicious attacks.
PCI Requirement 11.2 requires that organizations run internal and external network vulnerability scans at least quarterly and also after any significant changes in the network. These scans involve a combination of automated and manual tools/techniques that assess how well-protected your organization’s networks are from cyberattacks.
The PCI DSS requires that quarterly PCI compliance scans be performed by an independent third party, also known as a PCI certified Approved Scanning Vendor (PCI ASV).
Benefits of a PCI Compliance Scan
A PCI compliance scan identifies the low-hanging fruit that hackers often exploit such as open ports, default credentials, weak passwords, outdated infrastructure, and security configuration errors.
Here are other benefits of the scans:
- Identifies vulnerabilities introduced into the cardholder data environment due to unauthorized changes or system modifications, such as a firewall rule change.
- Identifies missing patches and updates in systems and software.
- Simulates real-life hacker probes at a network level, both external and internal.
- Provides quarterly report of actionable and quantifiable items to top management, showing whether an organization’s cybersecurity posture is progressing in a timely manner.
As new technologies and methodologies for scanning and protecting networks become available, PCI DSS 4.0 might incorporate these into its scanning requirements. Organizations would need to stay abreast of these changes to ensure that their compliance scans are using the most effective and up-to-date tools available.
Organizations should review the specific changes and updates in PCI DSS 4.0 related to compliance scanning and adapt their practices accordingly to maintain or achieve compliance. Regularly consulting with a PCI Qualified Security Assessor (PCI QSA) or an Approved Scanning Vendor (ASV) can help ensure that compliance scans are conducted in line with the latest PCI standards and best practices.
How to Choose a good PCI ASV Company
Given the sensitive nature of the activities that a PCI compliance scan entails, organizations need to evaluate key aspects before entrusting their systems to an external vendor.
Identify whether the PCI ASV has in-depth cybersecurity experience and expertise. Are they also a PCI Qualified Security Assessor (PCI QSA)? Have they performed several PCI compliance audits? Do their certified experts have experience that spans across multiple industries and diverse environments?
Ask how the PCI ASV plans to keep your data and cardholder data environment secure during testing.
Review sample reports to identify if the PCI ASV understands how to make risk-based, prioritized recommendations. A good PCI compliance scan report will ideally include: an executive summary highlighting the organization’s overall security posture; a technical section detailing identified vulnerabilities; and comprehensive recommendations on how to remediate those vulnerabilities.
Verify that the PCI ASV uses industry best practices and testing methodologies based on internationally respected models. Ensure that the PCI ASV uses a combination of both automated and manual methods/tools for PCI compliance scans. This is important because automated tools may generate several false positives. The PCI ASV needs to manually weed these out to save time and effort.
Lastly, make sure that the PCI ASV offers retests to validate your remediation efforts.
What are Common Causes of Data Leaks?
A data leak is bad news for any organization. It’s typically a precursor to a large-scale data breach that will escalate quickly. If the leaked data is related to credit-card data, your organization will have a very serious data security and compliance headache to address. There are several ways that a data leak could occur. Let’s take a look at some of these:
-
Human Error
Human error is a common cause of data leaks and, eventually, security incidents. Unfortunately, many organizations focus on technical issues that cause breaches and are behind in efforts to address human factors by offering Security Awareness Training.
-
Insider Threat
An employee or contractor with authorized and privileged access to internal organizational resources is one of the other big reasons for a data leak. The leak itself could be accidental, caused by negligence, or even malicious.
-
Malware
Many people mistakenly think that malware causes damage in one, swift shot and then disappears. In reality, some of the most devastating pieces of malware have the ability to lay low and steal data surreptitiously for years before being discovered.
-
Unpatched Software
Software and systems that are left unpatched for a long time are a common cause of data breaches. Over time, infrastructures end up riddled with an array of known vulnerabilities that eventually become the source of a data leak.
How to Detect Data Leaks
-
Data Breach Assessments
Many sophisticated attacks are programmed so that they go unnoticed for as long as possible. That’s why it’s important to conduct data leak/breach assessments at least once every quarter for large organizations and once every six months for smaller organizations.
-
Comprehensive Analysis
Conduct a deep-dive analysis of the processes and services that are running on all critical systems and devices. Also, conduct a comprehensive analysis of network traffic. Warning: The investigation can be a black hole that sucks up time and resources if done in-house. Consider hiring an expert to perform the assessment to save time and money.
-
Data Leak Prevention (DLP)
DLP software acts as a barrier between outsiders and sensitive information within the organization. It is also capable of detecting insider threats. It uses several rules to identify confidential data and activities that could lead to accidental disclosures. An investment in a good DLP should be considered as a “must have” in today’s cybersecurity threat landscape.
-
Monitor
Internal audits and testing, of course, can detect data leaks. Also, monitor the dark web for traces of your organization’s information. Finding your organization’s information there is a very big red flag.
How to Prevent Data Leaks
Preventing a data leak should be a top priority. Here are some best practices:
-
Human Firewalls
Train your people to recognize and avoid hacker lures. All the technical defenses in the world won’t help is just one employee responds to a phishing email or visits a malicious site.
-
Regulations
By complying with data protection regulations, organizations establish foundational security and minimize the risk of regulatory penalties. Stay compliant by developing a data security and compliance plan and policies and procedures to support data privacy and security. Build upon that plan as new threats emerge.
-
Encryption
Encryption is vital to payment card data security in general. Ensure that you use robust encryption on all machines, devices, and mobile devices.
-
Technology
Invest in a robust Data Leak Prevention solution. When deploying your DLP, be sure you understand what data is important for your organization and set up rules in your DLP to protect it.
-
Monitor & Track
Don’t let a false sense of security creep into your organization just because you deploy sophisticated cybersecurity software and technologies. Manual monitoring, tracking, and human instinct are still very important pieces of the cyber-defense puzzle. By the same token, never assume that outsourcing information security functions means your data is safe. Your organization is still accountable for compliance.
What to Do If a Credit Card Breach Occurs
The PCI Security Standards Council takes leaks and breaches of payment card data very seriously. Affected organizations must follow a very specific set of steps including engaging a PCI Forensic Investigator (PCI PFI). The PCI PFI conducts a data breach investigation and reports findings to the payment brands, including noting any compliance issues that might have led to the incident.
PCI Forensic Investigators (PFIs) help determine the occurrence of a cardholder data compromise and when and how it may have occurred. These PCI Forensic Investigators are qualified by the PCI Council’s program and must work for a Qualified Security Assessor company that provides a dedicated forensic investigation practice. They perform investigations within the financial industry using proven investigative methodologies and tools. They also provide relationships with law enforcement to support stakeholders with any resulting criminal investigations.
Typically, a merchant’s “acquirer” (payment processor) will notify the merchant of a potential data breach, based on fraudulent transactions tied to the merchant’s customers. In most cases, organizations are required to hire a PFI within prescribed timelines. To maintain independence, the PFI cannot be affiliated with the potentially compromised entity. For example, the PFI cannot have provided PCI QSA audit services, monitoring or network security support, consulting services, etc. to the compromised entity within the past three years.
The PCI Security Standards Council website provides a list of certified PFIs. It’s important to know that not all companies that list themselves as a PCI Qualified Security Assessor (PCI QSA) are automatically approved as PFIs. Only PCI QSA companies that have satisfied additional requirements applicable to PFI Companies and Core Forensic Investigators are eligible to become PFIs. They are then approved by the PCI SSC and listed as approved PFIs.
What To Expect From a PFI During a Data Breach Investigation?
-
Investigation
PFIs strictly comply with the Forensic Investigation Guidelines provided by the PCI SSC. They drive and perform all aspects of a data breach investigation. PFIs perform their own investigation and will not accept any reports from an organization’s internal auditors or outside vendors. PFIs provide around-the-clock data breach incident response services for regions in which they operate. PFIs must be able to initiate an investigation within five business days of an agreement being signed.
-
Scope
A PFI will determine the scope of the data breach investigation and all relevant sources of evidence. If a PFI thinks that a previously defined scope under the PCI Data Security Standard needs to be expanded, the PFI will do so to find the root cause of the intrusion.
-
Evidence Handling
PFIs strictly comply with evidence-handling standards and procedures that encompass both physical and digital forms of evidence. When a data breach occurs, it could be tempting to reboot your devices, remove suspicious software, and so on with the goal of stemming the proliferation of the data breach across the technical infrastructure. However, remember that preservation of evidence is vital to identify the root cause of the breach, the source of the breach, and, possibly, the infiltrators.
-
Reports
A PFI will first prepare a preliminary incident response report to notify credit card brands of a potential problem. The PFI’s final report will utilize the PCI SSC’s mandatory reporting template. It will be delivered to each payment brand, the compromised entity, and the compromised entity’s affected acquirer(s). These reports should be delivered using a secure connection, encryption via e-mail, and/or other mutually accepted security measures.
-
Discussions
During and after the investigation, PFIs will participate in periodic discussions with all applicable entities under investigation, affected payment brands, and acquirers.
-
Recommendations
PFIs report any deficiencies that were observed in the PCI Data Security Standard requirements that may have contributed to the breach. PFIs also recommend how organizations should prioritize containment activities in order to secure cardholder data. These recommendations are vital to implement as soon as possible to reduce the risk of further data loss.
-
Feedback
Following the PFI investigation, the PFI will request that the compromised entity and affected acquirers submit a feedback report to the PCI SSC. PFIs are subject to a quality assurance program operated by the PCI SSC, and such feedback is used to support and improve this process. The goal of the Quality Assurance Program (sometimes known as the “PFI QA Program”) is to help ensure that PFIs and PFI employees comply with PFI validation requirements, comply with the PFI’s documented processes and procedures, and continually produce high-quality PFI Work Product and related PFI Reports.
PCI Glossary of Terms
Account Data - Account data consists of cardholder data and/or sensitive authentication data. See Cardholder Data and Sensitive Authentication Data.
Aquirer - Entity, typically a financial institution, that processes payment card transactions for merchants. Acquirers are subject to payment brand rules and procedures regarding merchant compliance. See also Payment Processor
AOC - Acronym for “attestation of compliance.” The AOC is a form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self- Assessment Questionnaire or Report on Compliance.
ASV - Acronym for “Approved Scanning Vendor.” Company approved by the PCI SSC to conduct external vulnerability scanning services.
Cardholder Data - At a minimum, cardholder data consists of the full Primary Account Number (PAN). Cardholder data may also include the full PAN plus any of the following: cardholder name, expiration date and/or security code.
CDE - Acronym for “cardholder data environment.” The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data.
Compensating Controls - Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must: (1) Meet the intent and rigor of the original PCI DSS requirement; (2) Provide a similar level of defense as the original PCI DSS requirement; (3) Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and (4) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement. Go to the PCI website for additional guidance on the use of compensating controls.
Critical Systems and Technologies - A system or technology that is deemed by the entity to be of particular importance. For example, a critical system may be essential for the performance of a business operation or for a security function to be maintained. Examples of critical systems often include security systems, public-facing devices and systems, databases, and systems that store, process, or transmit cardholder data. Considerations for determining which specific systems and technologies are critical will depend on an organization’s environment and risk-assessment strategy.
Data-Flow Diagram - A diagram showing how data flows through an application, system, or network.
DSS - Acronym for “Data Security Standard.”
Default Password - Pre-defined password to access a system, application, or device, usually set up by IT vendor. Default accounts and passwords are published and well known, and therefore easily guessed.
Encryption - Process of converting information into an unintelligible form except to holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process (the inverse of encryption) against unauthorized disclosure.
Forensics - Also referred to as “computer forensics.” The application of investigative tools and analysis techniques to gather evidence from computer resources to determine the cause of data compromises.
Forensic Investigator - PCI Forensic Investigators (PFIs) are companies approved by the PCI Council to help determine when and how a card data breach occurred. They perform investigations within the financial industry using proven investigative methodologies and tools. They also work with law enforcement to support stakeholders with any resulting criminal investigations.
Hacker - A person or organization that attempts to circumvent security measures of computer systems to gain control and access. Usually this is done in an effort to steal card data.
Information Security - Protection of information to ensure confidentiality, integrity, and availability.
IP - Acronym for “internet protocol.” Network-layer protocol containing address information and some control information that enables packets to be routed and delivered from the source host to the destination host. IP is the primary network-layer protocol in the Internet protocol suite.
Least Privilege - Providing the minimum access and/or privileges necessary to perform the roles and responsibilities of the job function.
Merchant - For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.
Merchant Bank - A bank or financial institution that processes credit and/or debit card payments on behalf of merchants. Also called an “acquirer,” “acquiring bank,” “card processor,” or “payment processor.” See also Payment Processor
Monitoring - Use of systems or processes that constantly oversee computer or network resources for the purpose of alerting personnel in case of outages, alarms, or other predefined events.
Network - Two or more computers connected together via physical or wireless means.
Network Segmentation - Network segmentation isolates system components that store, process, or transmit cardholder data from systems that do not. Adequate network segmentation may reduce the scope of the cardholder data environment and, thus, reduce the scope of the PCI DSS assessment. See the Network Segmentation section in the PCI DSS Requirements and Security Assessment Procedures for guidance on using network segmentation. Network segmentation is not a PCI DSS requirement.
PAN - Acronym for “primary account number” and also referred to as “account number.” Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account.
Patch - Update to existing software to add functionality or to correct a defect.
Payment Cards - For purposes of PCI DSS, any payment card/device that bears the logo of the founding members of PCI SSC, which are American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or Visa, Inc.
Payment Processor - Sometimes referred to as “payment gateway” or “payment service provider (PSP)”. Entity engaged by a merchant/entity to handle payment card transactions on their behalf. While payment processors typically provide acquiring services, payment processors are not considered acquirers unless defined as such by a payment card brand. See also Acquirer.
PCI - Acronym for “Payment Card Industry.”
PCI DSS - Acronym for “Payment Card Industry Data Security Standard.”
PCI Compliant - Meeting all applicable requirements of the current PCI DSS, on a continuous basis via a business- as-usual approach. Compliance is assessed and validated at a single point in time; however, it is up to each merchant to continuously follow the requirements in order to ensure robust security. Merchant banks and/or the payment brands may have requirements for formal annual validation of PCI DSS compliance.
PCI DSS Validated - Providing proof that all applicable PCI DSS requirements are met at a single point in time. Depending on specific merchant bank and/or payment brand requirements, validation can be achieved though the applicable PCI DSS Self-Assessment Questionnaire or by a Report on Compliance resulting from an on-site assessment.
Penetration Test - Penetration tests identify ways to exploit vulnerabilities in order to defeat the security features of system components. Penetration testing includes network and application testing, as well as controls and processes around the networks and applications, and occurs from both outside the environment (external testing) and from inside the environment (internal testing).
Policy - Organization-wide rules governing acceptable use of computing resources, security practices, and guiding development of operational procedures
Procedure - Descriptive narrative for a policy. Procedure is the “how to” for a policy and describes how the policy is to be implemented.
PTS - Acronym for “PIN Transaction Security,” PTS is a set of modular evaluation requirements managed by PCI Security Standards Council, for PIN acceptance at POI terminals. Please refer to www.pcisecuritystandards.org.
Public Network - Network established and operated by a third- party telecommunications provider for specific purpose of providing data transmission services for the public. Data over public networks can be intercepted, modified, and/ or diverted while in transit. Examples of public networks include, but are not limited to, the Internet, wireless, and mobile technologies.
QSA - Acronym for “Qualified Security Assessor.” QSAs are qualified by PCI SSC to perform PCI DSS on-site assessments.
Risk Assessment - Process that identifies valuable system resources and threats; quantifies loss exposures based on estimated frequencies and costs of occurrence; and (optionally) recommends how to allocate resources to deploy countermeasures to minimize total exposure.
ROC - Acronym for “Report on Compliance.” Report documenting detailed results from an entity’s PCI DSS assessment.
SAQ - Acronym for “Self-Assessment Questionnaire.” Reporting tool used to document self-assessment results from an entity’s PCI DSS assessment.
Scoping - Process of identifying all system components, people, and processes to be included in a PCI DSS assessment. The first step of a PCI DSS assessment is to accurately determine the scope of the review.
Security Policy - Set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information.
Service Provider - Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services, as well as hosting providers and other entities.
Threat - Condition or activity that has the potential to cause information or information processing resources to be intentionally or accidentally lost, modified, exposed, made inaccessible, or otherwise affected to the detriment of the organization.
Untrusted Network - Network that is external to the networks belonging to an organization and that is outside of the organization’s ability to control or manage.
Virtual Payment Assistant - A virtual payment terminal is web-browser-based access to an acquirer, processor or third-party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual payment terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.
Vulnerability - Flaw or weakness which, if exploited, may result in an intentional or unintentional compromise of a system.
PCI Articles
How to Achieve PCI Compliance in the Cloud as Security Controls Evolve
Crafting a Comprehensive Cybersecurity Risk Assessment Plan: A Guide for CISOs