PCI Compliance
Organizations that store, process or transmit credit card data must comply with the Payment Card Industry Data Security Standard. Get the information you need to comply.
What is PCI?
The PCI (Payment Card Industry) is a sector within the financial industry that is responsible for all electronic payments. As purchases are completed through debit, credit, ATM, POS, prepaid and e-purse systems, sensitive financial data is constantly being transmitted to all parts of the world. As such, strict security measures must be in place in order to protect all users engaging in non-cash exchanges of payment.
To create these standards, the major financial corporations developed the PCI-SSC (Payment Card Industry Security Standards Council) which stands as an independent entity from the top financial brands. The council protects cardholders by setting strict security standards for merchants and for vendors of payment-processing solutions.
What is PCI DSS?
Credit and debit cards fuel global commerce. Unfortunately, they are also a lucrative targets for fraudsters. To protect cardholder data, merchants and vendors must adhere to the Payment Card Industry Data Security Standard (PCI DSS), which establishes a baseline level of security for organizations that store, process, or transmit payment card data.
The PCI Data Security Standard has grown significantly in stature and coverage since its early beginnings. PCI DSS requirements are robust and comprehensive. Organizations that invest the time and effort to comply with them will be considerably more secure and protected from cybersecurity threats.
Who Must Comply with PCI DSS?
The term “standard” in the PCI Data Security Standard could lead people to believe that implementing PCI compliance requirements is a “good to have” rather than a “must have or else.” In reality, PCI DSS is as good as a regulation.
Think about it – the credit card companies that issue credit/debit cards to regular folks (your customers) are the ones that will authorize you to process those payment cards. If you haven’t implemented the PCI DSS compliance requirements, the credit card companies wouldn’t let you process their payment cards. What’s more, you could be fined. So, unless you’re planning to run a “cash only” business, the PCI Data Security Standard is not optional. Follow These 4 Steps to Achieve PCI DSS Certification.
At a Glance, What are the PCI Compliance Requirements?
See the table below to understand your organization’s requirements:
PCI compliance requirements are built around six “control objectives,” and each of these objectives has sub-requirements that organizations must follow. A total of 12 compliance sub-requirements fit into the six control objectives. Here’s a summary:
Control Objectives
PCI DSS Requirements
Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
- Protect stored data.
- Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
Implement Strong Access Control Measures
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
Maintain an Information Security Policy
- Maintain a policy that addresses information security.
A Deeper Look at the PCI Compliance Requirements
Here’s a bit more explanation about each requirement:
- Protect your cardholder data with firewalls. Firewalls are designed to block inbound and outbound network traffic from untrusted networks.
- Change vendor-supplied default passwords and configurations. These defaults are freely published online and available for hackers to misuse.
- Protect cardholder data at rest using strong encryption, hashes, and/or other methods that are part of industry-accepted best practices.
- Protect cardholder data in transit using strong encryption, trusted keys, and trusted digital certificates.
- Use anti-virus and anti-malware software to protect all systems, and keep it fully updated at all times with the latest patches and signatures.
- Establish a process to identify vulnerabilities in systems and applications so that they can be remediated expeditiously.
- Restrict all access to cardholder data by employing the principles of least privilege and “need to know.”
- Assign a unique ID to each individual with access to systems and applications so that complete accountability of access is in place.
- Use electronic access keys, surveillance and other security measures to restrict physical access to cardholder data and cardholder data systems.
- Establish a logging and monitoring mechanism to track access and user activities related to cardholder data and cardholder network resources.
- Perform annual penetration tests and comprehensive risk assessments on the cardholder data environment. Perform quarterly vulnerability scans.
- Draft, maintain, and disseminate a comprehensive data security policy and update it annually or whenever there is a significant change in the technological/operational
How Does Transaction Volume Impact PCI DSS Compliance?
The PCI compliance requirements that apply to organizations depend on how many credit, debit and pre-paid card transactions they process each year. The more transactions, the higher the level of required compliance and compliance validation.
For example, an organization that processes more than 6 million transactions per year will be required to hire a specially trained assessor (PCI QSA) to conduct an audit every year. Organizations that process fewer transactions can skip the audit but must perform quarterly network scans to look for signs of trouble.
At a Glance, What are the PCI Transaction Levels?
The PCI compliance requirements that apply to organizations depend on how many credit, debit and pre-paid card transactions they process each year. The more transactions, the higher the level of required compliance and compliance validation.
For example, an organization that processes more than 6 million transactions per year will be required to hire a specially trained assessor (PCI QSA) to conduct an audit every year. Organizations that process fewer transactions can skip the audit but must perform quarterly network scans to look for signs of trouble.
LEVEL 1 Transactions Per Year > 6 Million
PCI Qualified Security Assessor (PCI QSA) performs annual audit
Complete annual Report on Compliance (ROC)
Perform quarterly network scans via PCI Approved Scanning Vendor (PCI ASV) Complete the Attestation on Compliance (AOC) form
LEVEL 2 Transactions Per Year 1 Million – 6 Million
Complete Self-Assessment Questionnaire (SAQ)
Perform quarterly network scans via PCI Approved Scanning Vendor (PCI ASV)
Complete the Attestation of Compliance (AOC) form
LEVEL 3 Transactions Per Year 20,000 – 1 Million
Complete Self-Assessment Questionnaire (SAQ)
Perform quarterly network scans via PCI Approved Scanning Vendor (PCI ASV)
Complete the Attestation of Compliance (AOC) form
LEVEL 4 Transactions Per Year < 20,000
Complete Self-Assessment Questionnaire (SAQ)
Perform quarterly network scans via PCI Approved Scanning Vendor (PCI ASV) Complete the Attestation of Compliance (AOC) form
What are the Critical Components of PCI DSS Compliance?
Let’s dig deeper into these PCI compliance requirements, so that you have a jargon-free understanding of them.
-
Annual Audit
If you’re at PCI compliance level 1, you need to have an independent, third-party audit performed by a PCI certified Qualified Security Assessor (PCI QSA). This is a highly technical and specialized audit where the auditor performs configuration-level cybersecurity assessments of your technical infrastructure. The PCI Council website has a list of approved PCI QSA companies that can be searched by place of business, countries served, and other such criteria.
-
Quarterly Network Scans
Regardless of your PCI compliance level, you’ll need to have an independent, third-party network vulnerability scan performed by a PCI certified Approved Scanning Vendor (PCI ASV). These vulnerability scans need to be performed once per quarter.
-
Self-Assessment Questionnaire
An organization at a PCI compliance level of 2 or below must complete a Self-Assessment Questionnaire (SAQ). As the name suggests, the SAQ is a self-assessment tool filled out by the merchant. There are different SAQ’s for different environments, and you must select the one that applies to your organization. The SAQ essentially consists of yes/no questions that correspond to each of the PCI compliance requirements. When you select “no” as an answer for any of the requirements, you may need to describe in detail remediation steps and associated timelines.
-
Report on Compliance
A Report on Compliance (ROC) is filled out by a PCI QSA after completion of an organization’s annual PCI compliance audit. The ROC contains detailed audit findings and can run hundreds of pages. It is submitted to the merchant’s acquirer (a bank or financial institution that processes payments on behalf of a merchant). The acquirer, in turn, accepts the ROC and then sends it for verification to the payment brand(s).
-
Attestation of Compliance
The Attestation of Compliance (AOC) is a form that attests to the results of a PCI compliance assessment. The AOC is typically completed by a PCI QSA and can be used by merchants and service providers to show proof of compliance. The AOC form differs based on the type of SAQ that applies to your organization.
-
Special Situations
There can be exceptions to the PCI compliance levels. For instance, a merchant that has experienced a breach that compromised payment card data is deemed to be at PCI compliance level 1. In such a situation, even a PCI compliance level 4 organization would have to comply with the requirements of PCI compliance level 1. If you believe that your organization may operate under a unique set of circumstances, it’s best to get in touch with a PCI QSA to identify your precise path to PCI compliance.
How to Select a PCI QSA Company
The annual PCI compliance audit must be performed by a Payment Card Industry Qualified Security Assessor (PCI QSA) company. A PCI QSA is certified by the PCI Security Standards Council to audit merchants for PCI DSS compliance. The PCI Security Standards Council maintains a list of all the individuals and companies that have successfully completed training and certification as a PCI QSA.
While the PCI compliance audit typically applies to PCI level 1 compliance entities, organizations that need to complete a self-assessment questionnaire (SAQ) can also greatly benefit from the expertise of a PCI QSA company. Regardless of PCI compliance level, a good PCI QSA company can help all organizations understand compliance requirements in the light of business and operational goals and provide invaluable guidance. The PCI Security Standards Council website provides a list of certified PCI QSAs.
Here are some tips to select the right PCI QSA company for your organization:
Background Research
Research the PCI QSA company thoroughly – number of years of experience, past and current clients, industry experience, technical certifications, client references, and so on. A PCI QSA’s experience in the same industry as yours is important since each industry has unique challenges, technical environments, and operational realities.
Approach
Understand beforehand how the PCI QSA company approaches the audit process. A collaborative approach works best. The PCI QSA should gain an in-depth understanding of your business - it’s strengths, and its eccentricities. That way, the PCI QSA can view the PCI compliance requirements in the context of your business and operational environment.
Scoping
The PCI Security Standards Council makes it a PCI QSA’s responsibility to confirm the scope of a PCI compliance audit. A good PCI QSA will look for opportunities to reduce the complexity of the compliance scope to save time, money and resources.
Post-Audit Assistance
After an audit, you may be left with a full plate of remediation items to address within short timeframes. A good PCI QSA will provide clients with post-audit assistance and answer specific remediation questions that may arise.
It’s Time to Fill Out Your SAQ. Which Type Applies?
A
Applicable to card-not-present merchants (mail/telephone-order or e-commerce) who have completely outsourced all cardholder data processing to a third-party vendor and do not store, process or transmit any cardholder data on their systems or premises. In this case, the third-party vendor needs to be PCI DSS compliant.
A-EP
Applicable to all e-commerce merchants who partially outsource all payment processing to a PCI DSS compliant
B
Applicable to merchants who do not store any electronic cardholder data and process payments either via standalone
B-IP
Applicable to merchants who process online payments using only standalone , PTS-approved payment terminals
C
Applicable to merchants with payment application systems connected to the Internet and no electronic cardholder data storage.
C-VT
Applicable to merchants who externally host a web payment application hosted by a PCI DSS validated third-party service provider. These types of merchants use a virtual payment terminal solution with no electronic cardholder data storage.
P2PE
Applicable to merchants who process card data only via payment terminals included in a validated and PCI SSC-listed Point-to-Point Encryption (P2PE) solution. No electronic cardholder data storage.
D
Applicable to all merchants not included in descriptions for the above SAQ types. Applicable to all service providers defined by a payment brand as eligible to complete an SAQ.
What is a PCI Compliance Scan?
Regardless of your PCI compliance level, your organization must undergo a quarterly PCI compliance scan to identify cybersecurity threats in your systems and network. Insights from the scan can be used to enhance protection of the cardholder data environment (CDE) against malicious attacks.
PCI Requirement 11.2 requires that organizations run internal and external network vulnerability scans at least quarterly and also after any significant changes in the network. These scans involve a combination of automated and manual tools/techniques that assess how well-protected your organization’s networks are from cyberattacks.
The PCI DSS requires that quarterly PCI compliance scans be performed by an independent third party, also known as a PCI certified Approved Scanning Vendor (PCI ASV).
Benefits of a PCI Compliance Scan
- Identifies the low-hanging fruit that hackers often exploit such as open ports, default credentials, weak passwords, outdated infrastructure, and security configuration errors.
- Identifies vulnerabilities introduced into the cardholder data environment due to unauthorized changes or system modifications, such as a firewall rule change.
- Identifies missing patches and updates in systems and software.
- Simulates real-life hacker probes at a network level, both external and internal.
- Provides quarterly report of actionable and quantifiable items to top management, showing whether an organization’s cybersecurity posture is progressing in a timely manner.
How to Choose a good PCI ASV Company
Given the sensitive nature of the activities that a PCI compliance scan entails, organizations need to evaluate key aspects before entrusting their systems to an external vendor.
Identify whether the PCI ASV has in-depth cybersecurity experience and expertise. Are they also a PCI Qualified Security Assessor (PCI QSA)? Have they performed several PCI compliance audits? Do their certified experts have experience that spans across multiple industries and diverse environments?
Ask how the PCI ASV plans to keep your data and cardholder data environment secure during testing.
Review sample reports to identify if the PCI ASV understands how to make risk-based, prioritized recommendations. A good PCI compliance scan report will ideally include: an executive summary highlighting the organization’s overall security posture; a technical section detailing identified vulnerabilities; and comprehensive recommendations on how to remediate those vulnerabilities.
Verify that the PCI ASV uses industry best practices and testing methodologies based on internationally respected models. Ensure that the PCI ASV uses a combination of both automated and manual methods/tools for PCI compliance scans. This is important because automated tools may generate several false positives. The PCI ASV needs to manually weed these out to save time and effort.
Lastly, make sure that the PCI ASV offers retests to validate your remediation efforts.
What are Common Causes of Data Leaks?
A data leak is bad news for any organization. It’s typically a precursor to a large-scale data breach that will escalate quickly. If the leaked data is related to credit-card data, your organization will have a very serious data security and compliance headache to address.
There are several ways that a data leak could occur. Let’s take a look at some of these:
-
Human Error
Human error is a common cause of data leaks and, eventually, security incidents. Unfortunately, many organizations focus on technical issues that cause breaches and are behind in efforts to address human factors by offering Security Awareness Training.
-
Insider Threat
An employee or contractor with authorized and privileged access to internal organizational resources is one of the other big reasons for a data leak. The leak itself could be accidental, caused by negligence, or even malicious.
-
Malware
Many people mistakenly think that malware causes damage in one, swift shot and then disappears. In reality, some of the most devastating pieces of malware have the ability to lay low and steal data surreptitiously for years before being discovered.
-
Unpatched Software
Software and systems that are left unpatched for a long time are a common cause of data breaches. Over time, infrastructures end up riddled with an array of known vulnerabilities that eventually become the source of a data leak.
How to Detect Data Leaks
-
Data Breach Assessments
Many sophisticated attacks are programmed so that they go unnoticed for as long as possible. That’s why it’s important to conduct data leak/breach assessments at least once every quarter for large organizations and once every six months for smaller organizations.
-
Comprehensive Analysis
Conduct a deep-dive analysis of the processes and services that are running on all critical systems and devices. Also, conduct a comprehensive analysis of network traffic. Warning: The investigation can be a black hole that sucks up time and resources if done in-house. Consider hiring an expert to perform the assessment to save time and money.
-
Data Leak Prevention (DLP)
DLP software acts as a barrier between outsiders and sensitive information within the organization. It is also capable of detecting insider threats. It uses several rules to identify confidential data and activities that could lead to accidental disclosures. An investment in a good DLP should be considered as a “must have” in today’s cybersecurity threat landscape.
-
Monitor
Internal audits and testing, of course, can detect data leaks. Also, monitor the dark web for traces of your organization’s information. Finding your organization’s information there is a very big red flag.
How to Prevent Data Leaks
Preventing a data leak should be a top priority. Here are some best practices:
-
Human Firewalls
Train your people to recognize and avoid hacker lures. All the technical defenses in the world won’t help is just one employee responds to a phishing email or visits a malicious site.
-
Regulations
By complying with data protection regulations, organizations establish foundational security and minimize the risk of regulatory penalties. Stay compliant by developing a data security and compliance plan and policies and procedures to support data privacy and security. Build upon that plan as new threats emerge.
-
Encryption
Encryption is vital to payment card data security in general. Ensure that you use robust encryption on all machines, devices, and mobile devices.
-
Technology
Invest in a robust Data Leak Prevention solution. When deploying your DLP, be sure you understand what data is important for your organization and set up rules in your DLP to protect it.
-
Monitor & Track
Don’t let a false sense of security creep into your organization just because you deploy sophisticated cybersecurity software and technologies. Manual monitoring, tracking, and human instinct are still very important pieces of the cyber-defense puzzle. By the same token, never assume that outsourcing information security functions means your data is safe. Your organization is still accountable for compliance.
What to Do If a Credit Card Breach Occurs
The PCI Security Standards Council takes leaks and breaches of payment card data very seriously. Affected organizations must follow a very specific set of steps including engaging a PCI Forensic Investigator (PCI PFI). The PCI PFI conducts a data breach investigation and reports findings to the payment brands, including noting any compliance issues that might have led to the incident.
PCI Forensic Investigators (PFIs) help determine the occurrence of a cardholder data compromise and when and how it may have occurred. These PCI Forensic Investigators are qualified by the PCI Council’s program and must work for a Qualified Security Assessor company that provides a dedicated forensic investigation practice. They perform investigations within the financial industry using proven investigative methodologies and tools. They also provide relationships with law enforcement to support stakeholders with any resulting criminal investigations.
Typically, a merchant’s “acquirer” (payment processor) will notify the merchant of a potential data breach, based on fraudulent transactions tied to the merchant’s customers. In most cases, organizations are required to hire a PFI within prescribed timelines. To maintain independence, the PFI cannot be affiliated with the potentially compromised entity. For example, the PFI cannot have provided PCI QSA audit services, monitoring or network security support, consulting services, etc. to the compromised entity within the past three years.
The PCI Security Standards Council website provides a list of certified PFIs. It’s important to know that not all companies that list themselves as a PCI Qualified Security Assessor (PCI QSA) are automatically approved as PFIs. Only PCI QSA companies that have satisfied additional requirements applicable to PFI Companies and Core Forensic Investigators are eligible to become PFIs. They are then approved by the PCI SSC and listed as approved PFIs.
What To Expect From a PFI During a Data Breach Investigation?
-
Investigation
PFIs strictly comply with the Forensic Investigation Guidelines provided by the PCI SSC. They drive and perform all aspects of a data breach investigation. PFIs perform their own investigation and will not accept any reports from an organization’s internal auditors or outside vendors. PFIs provide around-the-clock data breach incident response services for regions in which they operate. PFIs must be able to initiate an investigation within five business days of an agreement being signed.
-
Scope
A PFI will determine the scope of the data breach investigation and all relevant sources of evidence. If a PFI thinks that a previously defined scope under the PCI Data Security Standard needs to be expanded, the PFI will do so to find the root cause of the intrusion.
-
Evidence Handling
PFIs strictly comply with evidence-handling standards and procedures that encompass both physical and digital forms of evidence. When a data breach occurs, it could be tempting to reboot your devices, remove suspicious software, and so on with the goal of stemming the proliferation of the data breach across the technical infrastructure. However, remember that preservation of evidence is vital to identify the root cause of the breach, the source of the breach, and, possibly, the infiltrators.
-
Reports
A PFI will first prepare a preliminary incident response report to notify credit card brands of a potential problem. The PFI’s final report will utilize the PCI SSC’s mandatory reporting template. It will be delivered to each payment brand, the compromised entity, and the compromised entity’s affected acquirer(s). These reports should be delivered using a secure connection, encryption via e-mail, and/or other mutually accepted security measures.
-
Discussions
During and after the investigation, PFIs will participate in periodic discussions with all applicable entities under investigation, affected payment brands, and acquirers.
-
Recommendations
PFIs report any deficiencies that were observed in the PCI Data Security Standard requirements that may have contributed to the breach. PFIs also recommend how organizations should prioritize containment activities in order to secure cardholder data. These recommendations are vital to implement as soon as possible to reduce the risk of further data loss.
-
Feedback
Following the PFI investigation, the PFI will request that the compromised entity and affected acquirers submit a feedback report to the PCI SSC. PFIs are subject to a quality assurance program operated by the PCI SSC, and such feedback is used to support and improve this process. The goal of the Quality Assurance Program (sometimes known as the “PFI QA Program”) is to help ensure that PFIs and PFI employees comply with PFI validation requirements, comply with the PFI’s documented processes and procedures, and continually produce high-quality PFI Work Product and related PFI Reports.
PCI Glossary of Terms
Account Data - Account data consists of cardholder data and/or sensitive authentication data. See Cardholder Data and Sensitive Authentication Data.
Aquirer - Entity, typically a financial institution, that processes payment card transactions for merchants. Acquirers are subject to payment brand rules and procedures regarding merchant compliance. See also Payment Processor
AOC - Acronym for “attestation of compliance.” The AOC is a form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self- Assessment Questionnaire or Report on Compliance.
ASV - Acronym for “Approved Scanning Vendor.” Company approved by the PCI SSC to conduct external vulnerability scanning services.
Cardholder Data - At a minimum, cardholder data consists of the full Primary Account Number (PAN). Cardholder data may also include the full PAN plus any of the following: cardholder name, expiration date and/or security code.
CDE - Acronym for “cardholder data environment.” The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data.
Compensating Controls - Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must: (1) Meet the intent and rigor of the original PCI DSS requirement; (2) Provide a similar level of defense as the original PCI DSS requirement; (3) Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and (4) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement. Go to the PCI website for additional guidance on the use of compensating controls.
Critical Systems and Technologies - A system or technology that is deemed by the entity to be of particular importance. For example, a critical system may be essential for the performance of a business operation or for a security function to be maintained. Examples of critical systems often include security systems, public-facing devices and systems, databases, and systems that store, process, or transmit cardholder data. Considerations for determining which specific systems and technologies are critical will depend on an organization’s environment and risk-assessment strategy.
Data-Flow Diagram - A diagram showing how data flows through an application, system, or network.
DSS - Acronym for “Data Security Standard.”
Default Password - Pre-defined password to access a system, application, or device, usually set up by IT vendor. Default accounts and passwords are published and well known, and therefore easily guessed.
Encryption - Process of converting information into an unintelligible form except to holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process (the inverse of encryption) against unauthorized disclosure.
Forensics - Also referred to as “computer forensics.” The application of investigative tools and analysis techniques to gather evidence from computer resources to determine the cause of data compromises.
Forensic Investigator - PCI Forensic Investigators (PFIs) are companies approved by the PCI Council to help determine when and how a card data breach occurred. They perform investigations within the financial industry using proven investigative methodologies and tools. They also work with law enforcement to support stakeholders with any resulting criminal investigations.
Hacker - A person or organization that attempts to circumvent security measures of computer systems to gain control and access. Usually this is done in an effort to steal card data.
Information Security - Protection of information to ensure confidentiality, integrity, and availability.
IP - Acronym for “internet protocol.” Network-layer protocol containing address information and some control information that enables packets to be routed and delivered from the source host to the destination host. IP is the primary network-layer protocol in the Internet protocol suite.
Least Privilege - Providing the minimum access and/or privileges necessary to perform the roles and responsibilities of the job function.
Merchant - For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.
Merchant Bank - A bank or financial institution that processes credit and/or debit card payments on behalf of merchants. Also called an “acquirer,” “acquiring bank,” “card processor,” or “payment processor.” See also Payment Processor
Monitoring - Use of systems or processes that constantly oversee computer or network resources for the purpose of alerting personnel in case of outages, alarms, or other predefined events.
Network - Two or more computers connected together via physical or wireless means.
Network Segmentation - Network segmentation isolates system components that store, process, or transmit cardholder data from systems that do not. Adequate network segmentation may reduce the scope of the cardholder data environment and, thus, reduce the scope of the PCI DSS assessment. See the Network Segmentation section in the PCI DSS Requirements and Security Assessment Procedures for guidance on using network segmentation. Network segmentation is not a PCI DSS requirement.
PAN - Acronym for “primary account number” and also referred to as “account number.” Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account.
Patch - Update to existing software to add functionality or to correct a defect.
Payment Cards - For purposes of PCI DSS, any payment card/device that bears the logo of the founding members of PCI SSC, which are American Express, Discover Financial Services, JCB International, MasterCard Worldwide, or Visa, Inc.
Payment Processor - Sometimes referred to as “payment gateway” or “payment service provider (PSP)”. Entity engaged by a merchant/entity to handle payment card transactions on their behalf. While payment processors typically provide acquiring services, payment processors are not considered acquirers unless defined as such by a payment card brand. See also Acquirer.
PCI - Acronym for “Payment Card Industry.”
PCI DSS - Acronym for “Payment Card Industry Data Security Standard.”
PCI Compliant - Meeting all applicable requirements of the current PCI DSS, on a continuous basis via a business- as-usual approach. Compliance is assessed and validated at a single point in time; however, it is up to each merchant to continuously follow the requirements in order to ensure robust security. Merchant banks and/or the payment brands may have requirements for formal annual validation of PCI DSS compliance.
PCI DSS Validated - Providing proof that all applicable PCI DSS requirements are met at a single point in time. Depending on specific merchant bank and/or payment brand requirements, validation can be achieved though the applicable PCI DSS Self-Assessment Questionnaire or by a Report on Compliance resulting from an on-site assessment.
Penetration Test - Penetration tests identify ways to exploit vulnerabilities in order to defeat the security features of system components. Penetration testing includes network and application testing, as well as controls and processes around the networks and applications, and occurs from both outside the environment (external testing) and from inside the environment (internal testing).
Policy - Organization-wide rules governing acceptable use of computing resources, security practices, and guiding development of operational procedures
Procedure - Descriptive narrative for a policy. Procedure is the “how to” for a policy and describes how the policy is to be implemented.
PTS - Acronym for “PIN Transaction Security,” PTS is a set of modular evaluation requirements managed by PCI Security Standards Council, for PIN acceptance at POI terminals. Please refer to www.pcisecuritystandards.org.
Public Network - Network established and operated by a third- party telecommunications provider for specific purpose of providing data transmission services for the public. Data over public networks can be intercepted, modified, and/ or diverted while in transit. Examples of public networks include, but are not limited to, the Internet, wireless, and mobile technologies.
QSA - Acronym for “Qualified Security Assessor.” QSAs are qualified by PCI SSC to perform PCI DSS on-site assessments.
Risk Assessment - Process that identifies valuable system resources and threats; quantifies loss exposures based on estimated frequencies and costs of occurrence; and (optionally) recommends how to allocate resources to deploy countermeasures to minimize total exposure.
ROC - Acronym for “Report on Compliance.” Report documenting detailed results from an entity’s PCI DSS assessment.
SAQ - Acronym for “Self-Assessment Questionnaire.” Reporting tool used to document self-assessment results from an entity’s PCI DSS assessment.
Scoping - Process of identifying all system components, people, and processes to be included in a PCI DSS assessment. The first step of a PCI DSS assessment is to accurately determine the scope of the review.
Security Policy - Set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information.
Service Provider - Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services, as well as hosting providers and other entities.
Threat - Condition or activity that has the potential to cause information or information processing resources to be intentionally or accidentally lost, modified, exposed, made inaccessible, or otherwise affected to the detriment of the organization.
Untrusted Network - Network that is external to the networks belonging to an organization and that is outside of the organization’s ability to control or manage.
Virtual Payment Assistant - A virtual payment terminal is web-browser-based access to an acquirer, processor or third-party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual payment terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.
Vulnerability - Flaw or weakness which, if exploited, may result in an intentional or unintentional compromise of a system.
PCI Articles
Leaning on PCI Compliance Companies to Navigate the Maze of PCI Compliance
Selecting the Right PCI QSA Company