Monday, 13 February 2017

An Introduction to PCI DSS for Beginners

PCI DSS stands for Payment Card Industry Data Security Standard. PCI DSS is a set of industry standard mandatory requirements, which are used to evaluate the security levels of businesses that accept, process, store, and transmit cardholder data or sensitive authentication data pertaining to credit cards. PCI DSS aids merchants, service providers and financial institutions to understand and implement standards for ongoing technology and processes that protect the payment system from security breach and theft of cardholder data and different security policies. PCI DSS standards are mandatory for entities that accept credit cards (known as a merchant) or entities that are directly involved in processing, storing or transmitting of cardholder data to ensure that the cardholder data is protected, on behalf of businesses (known as service providers). PCI DSS is structured in a way to protect sensitive cardholder data by ensuring that the information that is accessed has sufficient controls and protection around its usage.

This article deals with introducing readers to the world of PCI DSS from information perspective. Described below are some of the important terminologies necessary to be aware of; in order to understand the 12 requirements of PCI DSS and shall be useful in understanding the details of these requirements in the upcoming blogs.

Terminologies Involved in PCI DSS:
  • Cardholder – A cardholder is any customer who is authorized to use a payment card. 
  • Cardholder Data – Cardholder data also denoted as CHD or CD refers to the data contained on a consumer’s payment. It is inclusive of two elements viz. Cardholder data element and Sensitive Authentication Data (SAD).
    • Cardholder data elements include Primary Account Number (PAN), cardholder name and expiration date
    • Sensitive Authentication Data (SAD) includes data on Magnetic Stripe, Personal Identification Number (PIN) and Card Validation Code (CVC)
  • Card Verification Code – Card Validation Code (CVC) also referred to as Card Verification Value is a SAD element that uses secure cryptography to protect the integrity of data stored on the magnetic stripe and reveals forgery.
  • Cardholder Data Environment – Cardholder Data Environment (CDE) refers to any person, technology or process that stores, processes and transmits cardholder data or sensitive authentication data.
  • Cross - Site Request Forgery – Cross - Site Request Forgery (CSRF) is a vulnerability that is created because of coding techniques which are insecure, that allow for the execution of unwanted actions through an authenticated session.
  • Cryptography – Cryptography is a method of encrypting or storing data in a manner, such that only those who are intended to decrypt the same can read it and process it.
  • Cryptographic Keys – Cryptographic keys are plain texts transformed into ciphertexts by using a cryptographic algorithm. It ensures the security of the message encrypted in the key created. It allows secure communication and maintains the confidentiality of the data.
PCI DSS Requirements:
The twelve requirements of PCI DSS are categorized into six main sections as below:
  • Building and maintain a secure network systems
    • Install and maintain a firewall configuration to protect cardholder data
    • Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protecting cardholder data
    • Protect stored cardholder data
    • Encrypt transmission of cardholder data across open, public networks
  • Maintaining a programme to manage and address vulnerabilities
    • Use and regularly update anti-virus software or programs
    • Develop and maintain secure systems and applications
  • Implementing strong access control measures to restrict access to cardholder data
    • Restrict access to cardholder data by business need to know
    • Assign a unique ID to each person with computer access
    • Restrict physical access to cardholder data
  • Maintaining audit logs, monitoring and testing security of network and system components
    • Track and monitor all access to network resources and cardholder data
    • Regularly test security systems and processes
  • Developing and maintaining information security policies
    • Maintain a policy that addresses information security for all personnel
Conclusion:
The implementation and compliance of PCI DSS is vital for entities dealing with financial transactions and security of such e - commerce payments. Implementing the PCI DSS is not only a mandate for such organisations but also helps in ensuring that the inflow and outflow of CHD and SAD remains protected and confidential.

About Author:
Devika Vaghela is a consultant in Systems Plus Pvt. Ltd. Within Systems Plus, she actively contributes to the areas of Technology and Information Security. She can be contacted at: devika.vaghela@spluspl.com

4 comments: