More Related Content
Similar to PCI Quick Reference Guide
Similar to PCI Quick Reference Guide (20)
PCI Quick Reference Guide
- 5. ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents.
5
TheintentofthisPCIQuickReferenceGuideistohelpyouunderstandthePCIDSSandtoapplyitto
yourpaymentcardtransactionenvironment.
TherearethreeongoingstepsforadheringtothePCIDSS:Assess—identifyingcardholder
data,takinganinventoryofyourITassetsandbusinessprocessesforpaymentcardprocessing,
andanalyzingthemforvulnerabilitiesthatcouldexposecardholderdata.Remediate—fixing
vulnerabilitiesandnotstoringcardholderdataunlessyouneedit.Report—compilingand
submittingrequiredremediationvalidationrecords(ifapplicable),andsubmittingcompliancereports
totheacquiringbankandcardbrandsyoudobusinesswith.
PCIDSSfollowscommonsensestepsthatmirrorbestsecuritypractices.TheDSSgloballyappliesto
allentitiesthatstore,processortransmitcardholderdata.PCIDSSandrelatedsecuritystandards
areadministeredbythePCISecurityStandardsCouncil,whichwasfoundedbyAmericanExpress,
DiscoverFinancialServices,JCBInternational,MasterCardWorldwideandVisaInc.Participating
organizationsincludemerchants,paymentcardissuingbanks,processors,developersandother
vendors.
PCICOMPLIANCEISA
CONTINUOUSPROCESS
ASSESS
REMEDIATE
REPORT
AA
DIATEDIATE
POSMerchantAcquirerServiceProvider
INTERNET
PUBLICNETWORKS
WIRELESS
INTERNET
PUBLICNETWORKS
WIRELESS
INTERNET
PUBLICNETWORKS
WIRELESS
OverviewofPCI
Requirements
- 14. ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents.
14
ProtectCardholderData
Cardholderdatareferstoanyinformationprinted,processed,transmittedorstoredinanyformona
paymentcard.Organizationsacceptingpaymentcardsareexpectedtoprotectcardholderdataand
topreventtheirunauthorizeduse–whetherthedataisprintedorstoredlocally,ortransmittedovera
publicnetworktoaremoteserverorserviceprovider.
Requirement3:Protectstoredcardholderdata
Ingeneral,nocardholderdatashouldeverbestoredunlessit’snecessarytomeettheneedsofthe
business.Sensitivedataonthemagneticstripeorchipmustneverbestored.Ifyourorganization
storesPAN,itiscrucialtorenderitunreadable(see3.4,andtablebelowforguidelines).
3.1Limitcardholderdatastorageandretentiontimetothatrequiredforbusiness,legal,and/or
regulatorypurposes,asdocumentedinyourdataretentionpolicy.
3.2Donotstoresensitiveauthenticationdataafterauthorization(evenifitisencrypted).See
guidelinesintablebelow.
3.3MaskPANwhendisplayed;thefirstsixandlastfourdigitsarethemaximumnumberofdigits
youmaydisplay.Notapplicableforauthorizedpeoplewithalegitimatebusinessneedtosee
thefullPAN.Doesnotsupersedestricterrequirementsinplacefordisplaysofcardholderdata
suchasonapoint-of-salereceipt.
3.4RenderPAN,atminimum,unreadableanywhereitisstored–includingonportabledigital
media,backupmedia,inlogs,anddatareceivedfromorstoredbywirelessnetworks.
Technologysolutionsforthisrequirementmayincludestrongone-wayhashfunctions,
truncation,indextokens,securelystoredpads,orstrongcryptography.(SeePCIDSSGlossaryfor
definitionofstrongcryptography.)
ENCRYPTIONPRIMER
Cryptographyusesamathematical
formulatorenderplaintextdata
unreadabletopeoplewithout
specialknowledge(calleda“key”).
Cryptographyisappliedtostored
dataaswellasdatatransmitted
overanetwork.
Encryptionchangesplaintextinto
ciphertext.
Decryptionchangesciphertext
backintoplaintext.
Illustration:WikimediaCommons
- 15. ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents.
15
3.5Protectcryptographickeysusedforencryptionofcardholderdatafromdisclosureandmisuse.
3.6Fullydocumentandimplementallappropriatekeymanagementprocessesandproceduresfor
cryptographickeysusedforencryptionofcardholderdata.
GuidelinesforCardholderDataElements
DataElement
Storage
Permitted
Protection
Required
PCIDSS
Req.3.4
CardholderData
PrimaryAccountNumber(PAN)YesYesYes
CardholderName1YesYes1No
ServiceCode1YesYes1No
ExpirationDate1YesYes1No
Sensitive
Authentication
Data2
FullMagneticStripeData3NoN/AN/A
CAV2/CVC2/CVV2/CIDNoN/AN/A
PIN/PINBlockNoN/AN/A
1ThesedataelementsmustbeprotectedifstoredinconjunctionwiththePAN.ThisprotectionshouldbeperPCIDSS
requirementsforgeneralprotectionofthecardholderdataenvironment.Additionally,otherlegislation(forexample,
relatedtoconsumerpersonaldataprotection,privacy,identitytheft,ordatasecurity)mayrequirespecificprotectionof
thisdata,orproperdisclosureofacompany’spracticesifconsumer-relatedpersonaldataisbeingcollectedduringthe
courseofbusiness.PCIDSS,however,doesnotapplyifPANsarenotstored,processed,ortransmitted.
2Sensitiveauthenticationdatamustnotbestoredafterauthorization(evenifencrypted).
3Fulltrackdatafromthemagneticstripe,magneticstripeimageonthechip,orelsewhere.
- 16. ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents.
16
Requirement4:Encrypttransmissionofcardholderdataacrossopen,publicnetworks
Cybercriminalsmaybeabletointercepttransmissionsofcardholderdataoveropen,publicnetworks
soitisimportanttopreventtheirabilitytoviewthesedata.Encryptionisatechnologyusedtorender
transmitteddataunreadablebyanyunauthorizedperson.
4.1UsestrongcryptographyandsecurityprotocolssuchasSSL/TLSorIPSECtosafeguardsensitive
cardholderdataduringtransmissionoveropen,publicnetworks(e.g.Internet,wireless
technologies,globalsystemsforcommunications[GSM],generalpacketradiosystems[GPRS]).
Ensurewirelessnetworkstransmittingcardholderdataorconnectedtothecardholderdata
environmentuseindustrybestpractices(e.g.,IEEE802.11ix)toimplementstrongencryption
forauthenticationandtransmission.Fornewwirelessimplementations,itisprohibitedto
implementWEPafterMarch31,2009.Forcurrentimplementations,itisprohibitedtouseWEP
afterJune30,2010.
4.2NeversendunencryptedPANsbyendusermessagingtechnologies.
MaintainaVulnerabilityManagementProgram
Vulnerabilitymanagementistheprocessofsystematicallyandcontinuouslyfindingweaknessesinan
organization’spaymentcardinfrastructuresystem.Thisincludessecurityprocedures,systemdesign,
implementation,orinternalcontrolsthatcouldbeexploitedtoviolatesystemsecuritypolicy.
Requirement5:Useandregularlyupdateanti-virussoftwareorprograms
Manyvulnerabilitiesandmaliciousvirusesenterthenetworkviaemployees’e-mailandotheronline
activities.Anti-virussoftwaremustbeusedonallsystemsaffectedbymalwaretoprotectsystems
fromcurrentandevolvingmalicioussoftwarethreats.
VULNERABILITY
MANAGEMENT
Createpolicygoverningsecurity
controlsaccordingtoindustry
standardbestpractices(e.g.,IEEE
802.11ix)
Regularlyscansystemsfor
vulnerabilities
Createremediationschedule
basedonriskandpriority
Pre-testanddeploypatches
Rescantoverifycompliance
Updatesecuritysoftwarewith
themostcurrentsignaturesand
technology
Useonlysoftwareorsystems
thatweresecurelydevelopedby
industrystandardbestpractices
- 22. ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents.
22
10.3Recordaudittrailentriesforallsystemcomponentsforeachevent,includingataminimum:user
identification,typeofevent,dateandtime,successorfailureindication,originationofevent,
andidentityornameofaffecteddata,systemcomponentorresource.
10.4Synchronizeallcriticalsystemclocksandtimes.
10.5Secureaudittrailssotheycannotbealtered.
10.6Reviewlogsforallsystemcomponentsrelatedtosecurityfunctionsatleastdaily.
10.7Retainaudittrailhistoryforatleastoneyear;atleastthreemonthsofhistorymustbe
immediatelyavailableforanalysis.
Requirement11:Regularlytestsecuritysystemsandprocesses
Vulnerabilitiesarebeingdiscoveredcontinuallybymaliciousindividualsandresearchers,and
beingintroducedbynewsoftware.Systemcomponents,processes,andcustomsoftwareshouldbe
testedfrequentlytoensuresecurityismaintainedovertime.Testingofsecuritycontrolsisespecially
importantforanyenvironmentalchangessuchasdeployingnewsoftwareorchangingsystem
configurations.
11.1Testforthepresenceofwirelessaccesspointsbyusingawirelessanalyzeratleastquarterly,or
deployingawirelessIDS/IPStoidentifyallwirelessdevicesinuse.
11.2Runinternalandexternalnetworkvulnerabilityscansatleastquarterlyandafteranysignificant
changeinthenetwork.ASVsarenotrequiredtoperforminternalscans.
11.3Performexternalandinternalpenetrationtestingatleastonceayearandafteranysignificant
infrastructureorapplicationupgradeormodification,includingnetwork-andapplication-layer
penetrationtests.
SEVERITYLEVELS
FORVULNERABILITY
SCANNING
5Urgent:Trojanhorses;fileread
andwriteexploit;remotecommand
execution
4Critical:PotentialTrojanhorses;
filereadexploit
3High:Limitedexploitofread;
directorybrowsing;DoS
2Medium:Sensitive
configurationinformationcanbe
obtainedbyhackers
1Low:Informationcan
beobtainedbyhackerson
configuration
“Tobeconsideredcompliant,a
componentmustnotcontain
vulnerabilitiesassignedLevel3,4,
or5.Tobeconsideredcompliant,all
componentswithinthecustomer
infrastructuremustbecompliant.
Thescanreportmustnotinclude
anyvulnerabilitiesthatindicate
featuresorconfigurationsthatmay
violatePCIDSSrequirements.”
- 23. ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents.
23
11.4Usenetworkintrusiondetectionsystemsand/orintrusionpreventionsystemstomonitorall
trafficinthecardholderdataenvironmentandalertpersonneltosuspectedcompromises.IDS/
IPSenginesmustbekeptuptodate.
11.5Deployfileintegritymonitoringsoftwaretoalertpersonneltounauthorizedmodificationof
criticalsystemfiles,configurationfilesorcontentfiles.Configurethesoftwaretoperformcritical
filecomparisonsatleastweekly.
MaintainanInformationSecurityPolicy
Astrongsecuritypolicysetsthetoneforsecurityaffectinganorganization’sentirecompany,andit
informsemployeesoftheirexpecteddutiesrelatedtosecurity.Allemployeesshouldbeawareofthe
sensitivityofcardholderdataandtheirresponsibilitiesforprotectingit.
Requirement12:Maintainapolicythataddressesinformationsecurityforemployees
andcontractors
12.1Establish,publish,maintain,anddisseminateasecuritypolicythataddressesallPCIDSS
requirements,includesanannualprocessforidentifyingvulnerabilitiesandformallyassessing
risks,andincludesareviewatleastonceayearandwhentheenvironmentchanges.
12.2DevelopdailyoperationalsecurityproceduresthatareconsistentwithrequirementsinPCIDSS.
12.3Developusagepoliciesforcriticalemployee-facingtechnologiestodefinetheirproperusefor
allemployeesandcontractors.Theseincluderemoteaccess,wireless,removableelectronic
media,laptops,handhelddevices,emailandInternet.
12.4Ensurethatthesecuritypolicyandproceduresclearlydefineinformationsecurity
responsibilitiesforallemployeesandcontractors.
“PCIDSSrepresentsthebest
availableframeworktoguidebetter
protectionofcardholderdata.
Italsopresentsanopportunity
toleveragecardholderdata
securityachievedthroughPCIDSS
complianceforbetterprotectionof
othersensitivebusinessdata–and
toaddresscompliancewithother
standardsandregulations.”
AberdeenGroup
ITIndustryAnalyst
- 29. ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents.
29
WebResources
Reporting
Reportsaretheofficialmechanismbywhichmerchantsandotherorganizationsverifycompliance
withPCIDSStotheirrespectiveacquiringfinancialinstitutions.Dependingoncardbrand
requirements,merchantsandserviceprovidersmayneedtosubmitaSAQorannualattestations
ofcomplianceforon-siteassessments(seePCIDSSversion1.2,AppendicesDandEformore
information).Quarterlysubmissionofareportfornetworkscanningmayalsoberequired.Finally,
individualcardbrandsmayrequiresubmissionofotherdocumentation;seetheirWebsitesformore
information(URLslistedabove).
InformationContainedinPCIDSSReports
•SummaryofFindings(generalstatement,detailsofthesecurityassessment)
•BusinessInformation(contact,businessdescription,processorrelationships)
•CardPaymentInfrastructure(networkdiagram,transactionflowdiagram,POSproductsused,
wirelessLANsand/orwirelessPOSterminals)
•ExternalRelationships(listserviceproviderswithwhomyousharecardholderdata,connections
tocardpaymentcompanies,whollyownedentities(nationalandinternational)thatrequire
compliancewithPCIDSS
COMPLIANCEPROGRAM
Assess
AssessyournetworkandIT
resourcesforvulnerabilities.You
shouldconstantlymonitoraccess
andusageofcardholderdata.Log
datamustbeavailableforanalysis
Remediate
Youmustfixvulnerabilitiesthat
threatenunauthorizedaccessto
cardholderdata
Report
Reportcomplianceandpresent
evidencethatdataprotection
controlsareinplace
- 31. 31
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents.
AboutthePCI
SecurityStandards
Council
AboutthePCISecurityStandardsCouncil
ThePCISecurityStandardsCouncil(PCISSC)isaglobalopenbodyformedtodevelop,enhance,
disseminateandassistwiththeunderstandingofsecuritystandardsforpaymentaccountsecurity.
TheCouncilmaintains,evolves,andpromotesthePaymentCardIndustrysecuritystandards.Italso
providescriticaltoolsneededforimplementationofthestandardssuchasassessmentandscanning
guidelines,aself-assessmentquestionnaire,trainingandeducation,andproductcertification
programs.
ThePCISSCfoundingmembers,AmericanExpress,DiscoverFinancialServices,JCBInternational,
MasterCardWorldwide,andVisaInc.,haveagreedtoincorporatethePCIDataSecurityStandardas
partofthetechnicalrequirementforeachoftheirdatasecuritycomplianceprograms.Eachfounding
memberalsorecognizestheQualifiedSecurityAssessorsandApprovedScanningVendorsqualified
bythePCISSCtoassesscompliancewiththePCIDSS.
ThePCISSC’sfoundingmembercardbrandsshareequallyintheCouncil’sgovernanceand
operations.Otherindustrystakeholdersparticipateinreviewingproposedadditionsormodifications
tothestandards,includingmerchants,paymentcardissuingbanks,processors,hardwareand
softwaredevelopers,andothervendors.
PCISSCFOUNDERS
PARTICIPATING
ORGANIZATIONS
Merchants,Banks,Processors,
HardwareandSoftwareDevelopers
andPoint-of-SaleVendors