What is PCI?
I face this question more often these days, everyone is working on something or other for PCI. To answer the question it is a set of comprehensive 12 requirements (256 sub requirements to be precise) for payment card data security standards (Transaction cards like credit, debit & gifts etc), these are developed by the founding payment brands of the PCI Security Standards Council, including AMEX, Discover, JCB, MasterCard and VISA etc, to help facilitate the broad adoption of consistent data security measures on a global basis.
The PCI DSS is a multifaceted security standard that includes requirements for
- Security Management
- Network Architecture
- Software design and other critical protective measures.
This comprehensive standard is intended to help organizations proactively protect customer account data and be compliant with common standards laid down. PCI Security Standards Council keeps enhancing these PCI DSS standards to accommodate the new security learning’s that will help world mitigate risks i.e. get some learning from hackers :-).
The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security.
How do we start?
- Identify your PCI uses in your business at various level ( application, architecture etc).
- PCI Discovery ( GAP assessment) [Includes anything & everything on enterprise network :-)]
- Baseline [Where do we stand?]
Where are the opportunities for technical teams?
- Network : Network Segmentation (Enterprise Arch).
- Data : Database (what data comes in, goes out, how do you store it & access it etc).
- Applications : Interfacing (Application/Solutions Arch: App/web servers, legacy code etc).
Who all need to be certified?
Merchants doing credit card transactions need to get PCI compliant but there are levels defined based on the amount of transactions done. For more information you can visit www.pciassessment.org
What does PCI non-compliance mean for business?
- Heavy fines, legal complications etc.
- Barred from accepting/processing credit cards.
- Data Security Compromises resulting in security attacks and
- Many more …….
Myth about PCI DSS : PCI DSS is a technology or framework that would gaurd us from external threats.
In reality PCI DSS is not a technology or famework instead they are governed standards driven to build the compliance environments across the globe to collaborate in secure ways to handle payment cards. Watch out we still need the robost vulenerability(SCABBA) tests to ensure the code is cleaned before putting it into real use 🙂
Where is PCI now and where is it going?
Current PCI is 2.0, yes it also evolved through versions 🙂 & will keep evolving…
Where it is heading, probably we will see the new PCI standards to certify specific clouds that will deal with PCI & all of us talk to those secure clouds. At this moment things are too cloudy for cloud computing…letz park this for next time 😉 may be those will be cloud certification dayz 🙂
Happy PCI dayz N years to come (It is never last time for PCI, always ongoing….)!!!