What is PCI?

What is PCI?

I face this question more often these days, everyone is working on something or other for PCI. To answer the question it is a set of comprehensive 12 requirements (256 sub requirements to be precise) for payment card data security standards (Transaction cards like credit, debit & gifts etc), these are developed by the founding payment brands of the PCI Security Standards Council, including AMEX, Discover, JCB, MasterCard and VISA etc, to help facilitate the broad adoption of consistent data security measures on a global basis.

The PCI DSS is a multifaceted security standard that includes requirements for

  • Security Management
  • Policies
  • Procedures
  • Network Architecture 
  • Software design and other critical protective measures.

This comprehensive standard is intended to help organizations proactively protect customer account data and be compliant with common standards laid down. PCI Security Standards Council keeps enhancing these PCI DSS standards to accommodate the new security learning’s that will help world mitigate risks i.e. get some learning from hackers :-).

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

Requirement 3: Protect stored cardholder data.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software.

Requirement 6: Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know.

Requirement 8: Assign a unique ID to each person with computer access.

Requirement 9: Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data.

Requirement 11: Regularly test security systems and processes.

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security.

How do we start?

  •  Identify your PCI uses in your business at various level ( application, architecture etc).
  •  PCI Discovery ( GAP assessment) [Includes anything & everything on enterprise network :-)]
  • Baseline [Where do we stand?]

Where are the opportunities for technical teams?

  • Network : Network Segmentation (Enterprise Arch).
  • Data : Database (what data comes in, goes out, how do you store it & access it etc).
  • Applications : Interfacing (Application/Solutions Arch: App/web servers, legacy code etc).

 Who all need to be certified?

Merchants doing credit card transactions need to get PCI compliant but there are levels defined based on the amount of transactions done. For more information you can visit www.pciassessment.org

What does PCI non-compliance mean for business?

  • Heavy fines, legal complications etc.
  • Barred from accepting/processing credit cards.
  • Data Security Compromises resulting in security attacks and
  • Many more …….

Myth about PCI DSS : PCI DSS is a technology or framework that would gaurd us from external threats.

In reality PCI DSS is not a technology or famework instead they are governed standards driven to build the compliance environments across the globe to collaborate in secure ways to handle payment cards. Watch out we still need the robost vulenerability(SCABBA) tests to ensure the code is cleaned before putting it into real use 🙂

Where is PCI now and where is it going?

Current PCI is 2.0, yes it also evolved through versions 🙂 & will keep evolving…

Where it is heading, probably we will see the new PCI standards to certify specific clouds that will deal with PCI & all of us talk to those secure clouds. At this moment things are too cloudy for cloud computing…letz park this for next time 😉 may be those will be cloud certification dayz 🙂

Happy PCI dayz N years to come (It is never last time for PCI, always ongoing….)!!!

Advertisements

3 thoughts on “What is PCI?

  1. There is a lot of great info out there regarding the PCI standards, but i found your article very interesting. It covered all the bases. Thanks!

  2. TSR! You! ……Guess what? I found your post on a Google search for “Payment Gateways”. Nice one! Very Informative.

    1. Thank you Girish, I had re-posted this from my internal blog while working on building payment gateways 🙂 PCI is a regular initiative. As discussed now clouds are exploring to get certified I’m sure there will be standards laid out soon for them too. With PCI 2.0 lot of things are evolving visit official site for more info. Let me know if you need more info I have some info with me too.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s