Syrinx Technologies

PCI Information

Definitions:

PCI DSS = Payment Card Industry Data Security Standard

SSC = Security Standards Council

PTS = PIN Transaction Security

PA-DSS = Payment Application Data Security Standard

If you process, transmit or store cardholder data you are obligated to meet ALL of the requirements. There are 6 goals and 12 requirements to the standard. Your level of compliance is determined by the number of transactions your organization processes, which could be different for each card vendor.


News:

  • In June, 2011, the PCI DSS releases an Information Supplement entitled "PCI DSS Virtualization Guidelines". Click here.
  • On March 18, 2011, the PCI Security Standards Council released a Supplemental Guidance document for those merchants who receive credit card data over the telephone. With today's modern VoIP systems, it is common for such calls to be recorded, possibly creating a PCI violation. To download the document, click here.
  • On October 28, 2010, the PCI Security Standards Council released Version 2.0 of the PCI DSS and PA-DSS. Version 2.0 becomes effective on January 1, 2011. For more information, click here.
  • On April 22, 2008, the PCI Security Standards Council announced the availability of two Information Supplements providing further clarification for PCI DSS requirement 11.3, regarding penetration testing, and Requirement 6.6, regarding application code review and application firewalls. Both of these information supplements provide guidance to help merchants and service providers meet these two requirements in support of their PCI DSS compliance efforts. Both information supplements are now available on the Council’s website at https://www.pcisecuritystandards.org/tech/supporting_documents.htm.

PCI FAQ


Q: What are the 12 requirements?
A:
  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update anti-virus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.
UP TOP

Q: What is cardholder data?
A:
  • Primary Account Number (PAN)
  • Cardholder Name
  • Expiration Date
  • Service Code
  • Sensitive Authentication Data
    • Full magnetic stripe data
    • Card Validation Code/Value
    • PIN
UP TOP

Q: What can never be stored, even if encrypted?
A:
  • Full magnetic stripe
  • Card Validation Code/Value
  • PIN/PIN block
UP TOP

Q: What are the 5 Stages of PCI Grief?
A:
  1. Denial (This doesn't apply to my firm)
  2. Anger (This isn't fair)
  3. Bargaining (Maybe it does apply to my firm)
  4. Depression (How much will this cost)
  5. Acceptance (This is a good thing)
UP TOP

Q: Where can I go for more information?
A:

UP TOP

Q: Are penetration tests required? If so, who can perform them?
A: Yes, penetration tests are required for any systems/networks that participate in storing, processing or transmitting data, according to PCI Standard 11.3. The minimum frequency for testing is annually. The tests can be performed by any competent firm offering penetration testing or the company can use internal resources if they are qualified. The outside firms do not have to be ASV or QSA certified. The testing is limited to those computing resources associated with the cardholder data.

UP TOP

Q: What's the difference between a QSA and an ASV?
A: A Qualified Security Assessor (QSA) is a firm certified by the PCI Security Standards Council to perform the annual audits required for Level 1 Merchants. An Approved Scanning Vendor (ASV) is certified to perform the quarterly scanning required by all levels.

UP TOP

Q: What is the latest version of the Self-Assessment Questionnaire (SAQ)? When did it become effective?
A: The latest version of the SAQ is version 1.2. It was released in October, 2008.

UP TOP

Q: Am I liable if my credit card processor is breached?
A: It depends, but it is certainly possible. If you use a 3rd party service provider to process your credit card transactions it is your responsibility to ensure they are PCI compliant. If they aren't and they are breached you can be held liable also. There are known cases of that happening currently.

UP TOP

Q: Are there different ways to satisfy requirement 6.6?
A: Possibly, depending on your situation one of the following may satisfy the requirement:

  • Perform a code review of all in-house developed web applications.
  • Run all web application code through automated code analysis tools.
  • Perform a manual penetration test on each web application.
  • Purchase and install an application layer firewall in front of each web server.
UP TOP

Q: I understand there are 4 different Self-Assessment Questionnaires (SAQ). Which one is right for me?
A: Please refer to the following table:
SAQ Validation Type Description SAQ
1 Card-Not-Present (e-Commerce or MOTO)merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. A
2 Imprint-only merchants with no cardholder data storage. B
3 Stand-alone dial-up terminal merchants, no electronic cardholder data storage. B
4 Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. C
5 All other merchants and all service providers defined by a payment brand as eligible to complete an SAQ. D
UP TOP

Q: What are the most important changes in Version 1.2 of the DSS?
A:
  • Removed requirement to disable broadcast wireless SSID.
  • For new wireless implementations after March 31, 2009, WEP is prohibited.
  • For existing wireless implementations, WEP is prohibited after June 30, 2010.
  • Included Unix-based systems in anti-virus requirement.
  • Under 11.3, clarified rule that both internal and external testing is required.
UP TOP

Q: Does PCI compliance apply to non-profit organizations?
A: Yes, neither the PCI SSC nor the acquiring banks are likely to give you a free pass just because your stated goal is to be a non-profit organization. The liability and risks still exist and need to be addressed. In fact, because you are a non-profit organization the effects of a data breach could be even more damaging to your business due to the fines and other possible penalties.

UP TOP

Q: What is MOTO?
A: MOTO = Mail Order/Telephone Order. This refers to vendors who either take credit card data over the phone or by mail.

UP TOP

Q: What's the difference between PED and EPP?
A: PED = PIN Entry Device. This device is the familiar "card swipe" at a merchant location. It usually contains a PIN pad (keypad), display and a card reader. EPP = Encrypting PIN Pad (keypad). An EPP is typically located at an ATM and does not contain a display or card reader. The PCI DSS has technical requirements for both PED and EPP devices.

UP TOP

Q: What's the difference between compliance and validation?
A: Compliance is the process of implementing the security controls and policies required by the standard. Validation is the process of proving that you are compliant. PCI compliance requires both functions to be performed.

UP TOP

Q: What wireless standard for encryption is required?
A: For new wireless implementations, it is prohibited to implement WEP after March 31, 2009. For current wireless implementations, it is prohibited to use WEP after June 30, 2010.

UP TOP

Q: Where can I get more information on wireless requirements?
A: The PCI SSC has released a PDF detailing Wireless Guidelines for PCI compliance. Read more here.

UP TOP

Q: Does virtualization affect PCI compliance?
A: Yes, virtualization has an impact on PCI compliance. Read more here.

UP TOP