Document Comparison
PCIDSS_QRGv3_2.pdf
→
PCI_DSS-QRG-v3_2_1.pdf
97% similar
40 → 39
Pages
10901 → 10788
Words
26
Content Changes
Content Changes
26 content changes. 1 administrative change (dates, page numbers) hidden.
Added
p. 4
DATA TYPES COMPROMISED IN BREACHES 22% card track data 18% card-not-present (e-commerce) 16% financial/user credentials Source: 2018 Trustwave Global Security Report, p. 30 https://www2.trustwave.com/ GlobalSecurityReport.html (form to access report) This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 5 The intent of this PCI DSS Quick Reference Guide is to help you understand how the PCI DSS can help protect your payment card transaction environment and how to apply it.
Added
p. 7
QIR PROGRAM Qualified Integrators and Resellers (QIRs) are integrators and resellers specially trained by PCI Security Standards Council to address critical security controls while installing merchant payment systems. QIRs reduce merchant risk and mitigate the most common causes of payment data breaches by focusing on critical security controls. A list of QIRs is available at https://www.pcisecuritystandards. org/assessors_and_solutions/ qualified_integrators_and_resellers.
12. Maintain a policy that addresses information security for all This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
Self-Assessment Questionnaire. The Self-Assessment Questionnaire (SAQ) is a validation tool for eligible organizations who self-assess their PCI DSS compliance and who are not required to submit a Report on Compliance (ROC). Different SAQs are available for various business environments; more details can be found on our website at: www.pcisecuritystandards.org/document_ library?category=saqs#. To determine whether you should complete a SAQ (and if so, which one), contact your …
12. Maintain a policy that addresses information security for all This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
Self-Assessment Questionnaire. The Self-Assessment Questionnaire (SAQ) is a validation tool for eligible organizations who self-assess their PCI DSS compliance and who are not required to submit a Report on Compliance (ROC). Different SAQs are available for various business environments; more details can be found on our website at: www.pcisecuritystandards.org/document_ library?category=saqs#. To determine whether you should complete a SAQ (and if so, which one), contact your …
Added
p. 24
TIPS FOR SCANNING Get Advice. Ask your merchant bank about partnerships with PCI Approved Scanning Vendors (ASV).
Talk to a PCI ASV. See PCI Council website for approved list.
Select a Scanner. Contact several PCI ASVs and select a suitable program.
Address Vulnerabilities. As your PCI ASV for help correcting issues found by scanning.
Source: Small Merchant Guide to Safe Payments, p. 16 This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 25 12.5 Assign to an individual or team information security responsibilities defined by 12.5 subsections.
Talk to a PCI ASV. See PCI Council website for approved list.
Select a Scanner. Contact several PCI ASVs and select a suitable program.
Address Vulnerabilities. As your PCI ASV for help correcting issues found by scanning.
Source: Small Merchant Guide to Safe Payments, p. 16 This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 25 12.5 Assign to an individual or team information security responsibilities defined by 12.5 subsections.
Added
p. 37
PCI Security Standards Council Web site: https://www.pcisecuritystandards.org Frequently Asked Questions (FAQs): https://www.pcisecuritystandards.org/faqs
About the PCI Security Standards Council The PCI Security Standards Council is a global forum for the industry to come together to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. Read more about PCI SSC’s Global Payment Security Engagement Initiative at www.pcisecuritystandards.org/pdfs/PCI_SSC_Partnering_for_Global_Payment_Security.pdf The Council maintains, evolves, and promotes the Payment Card Industry Security Standards. It also provides critical tools needed for implementation of the standards such as assessment and scanning qualifications, self-assessment questionnaires, training and education, and product certification programs.
About the PCI Security Standards Council The PCI Security Standards Council is a global forum for the industry to come together to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. Read more about PCI SSC’s Global Payment Security Engagement Initiative at www.pcisecuritystandards.org/pdfs/PCI_SSC_Partnering_for_Global_Payment_Security.pdf The Council maintains, evolves, and promotes the Payment Card Industry Security Standards. It also provides critical tools needed for implementation of the standards such as assessment and scanning qualifications, self-assessment questionnaires, training and education, and product certification programs.
Modified
p. 1
PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.2 For merchants and other entities involved in payment card processing
PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.2.1 For merchants and other entities involved in payment card processing
Modified
p. 2
PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version 3.2.
PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version 3.2.1.
Removed
p. 4
RISKY BEHAVIOR A survey of businesses in the U.S. and Europe reveals activities that may put cardholder data at risk. 81% store payment card numbers. 73% store payment card expiration dates. 71% store payment card verification codes. 57% store customer data on the payment card magnetic strip. 16% store other personal data.
Source: Forrester Consulting: The State of PCI Compliance (commissioned by RSA/ EMC) This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 5 The intent of this PCI DSS Quick Reference Guide is to help you understand how the PCI DSS can help protect your payment card transaction environment and how to apply it.
Source: Forrester Consulting: The State of PCI Compliance (commissioned by RSA/ EMC) This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 5 The intent of this PCI DSS Quick Reference Guide is to help you understand how the PCI DSS can help protect your payment card transaction environment and how to apply it.
Modified
p. 4
It’s a serious problem
• more than898 million records with sensitive information have been breached from 4,823 data breaches made public between January 2005 and April 2016, according to PrivacyRights. org. As you are a key participant in payment card transactions, it is imperative that you use standard security procedures and technologies to thwart theft of cardholder data.
• more than
It’s a serious problem
• more than 10.9 billion records with sensitive information have been breached according to public disclosures between January 2005 and July 2018, according to PrivacyRights.org. As you are a key participant in payment card transactions, it is imperative that you use standard security procedures and technologies to thwart theft of cardholder data.
• more than 10.9 billion records with sensitive information have been breached according to public disclosures between January 2005 and July 2018, according to PrivacyRights.org. As you are a key participant in payment card transactions, it is imperative that you use standard security procedures and technologies to thwart theft of cardholder data.
Modified
p. 5
PCI DSS COMPLIANCE IS A CONTINUOUS PROCESS POS Merchant Acquirer Service Provider INTERNET PUBLIC NETWORKS WIRELESS INTERNET PUBLIC NETWORKS WIRELESS INTERNET PUBLIC NETWORKS WIRELESS Overview of PCI Requirements This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
PCI DSS COMPLIANCE IS A CONTINUOUS PROCESS POS Merchant Acquirer Service Provider INTERNET PUBLIC NETWORKS INTERNET PUBLIC NETWORKS INTERNET PUBLIC NETWORKS This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
Modified
p. 9
1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti- virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data …
1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program
Modified
p. 10
Qualified Assessors. The Council manages programs that will help facilitate the assessment of compliance with PCI DSS: Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). QSAs are approved by the Council to assess compliance with the PCI DSS. ASVs are approved by the Council to validate adherence to the PCI DSS scan requirements by performing vulnerability scans of Internet-facing environments of merchants and service providers. The Council also provides PCI DSS training for Internal Security Assessors (ISAs). Additional details …
Qualified Assessors. The Council manages programs that will help facilitate the assessment of compliance with PCI DSS: Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). QSAs are approved by the Council to assess compliance with the PCI DSS. ASVs are approved by the Council to validate adherence to the PCI DSS scan requirements by performing vulnerability scans of Internet-facing environments of merchants and service providers. The Council also provides PCI DSS training for Internal Security Assessors (ISAs). Additional details …
Modified
p. 11
This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 11 Security Controls and Processes for PCI DSS Requirements Security Controls and Processes for PCI DSS Requirements The goal of the PCI Data Security Standard (PCI DSS) is to protect cardholder data and sensitive authentication data wherever it is processed, stored or transmitted. The security controls and processes required by PCI DSS are vital for protecting all payment card account data, …
This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 11 Security Controls and Processes for PCI DSS Requirements The goal of the PCI Data Security Standard (PCI DSS) is to protect cardholder data and sensitive authentication data wherever it is processed, stored or transmitted. The security controls and processes required by PCI DSS are vital for protecting all payment card account data, including the PAN
Modified
p. 11
CID (American Express) Expiration Date Magnetic Stripe (data on tracks 1 & 2) CAV2/CID/CVC2/CVV2 (all other payment card brands) Types of Data on a Payment Card Cardholder Name This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
CID (American Express) Expiration Date Magnetic Stripe (data on tracks 1 & 2) CAV2/CID/CVC2/CVV2 (all other payment card brands) Types of Data on a Payment Card Cardholder This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
Modified
p. 15
Guidelines for Cardholder Data Elements Data Element Storage Permitted Render Stored Data Unreadable per Requirement 3.4 Cardholder Data Primary Account Number (PAN) Yes Yes Cardholder Name Yes No Service Code Yes No Expiration Date Yes No Sensitive Authentication Data1 Full Track Data2 No Cannot store per Requirement 3.2 CAV2/CVC2/CVV2/CID3 No Cannot store per Requirement 3.2 PIN/PIN Block4 No Cannot store per Requirement 3.2 1 Sensitive authentication data must not be stored after authorization (even if encrypted) 2 Full track data …
Guidelines for Cardholder Data Elements Data Element Storage Permitted Render Stored Data Unreadable per Requirement 3.4 Cardholder Primary Account Number (PAN) Yes Yes Cardholder Name Yes No Service Code Yes No Expiration Date Yes No Sensitive Authentication Full Track Data2 No Cannot store per Requirement 3.2 CAV2/CVC2/CVV2/CID3 No Cannot store per Requirement 3.2 PIN/PIN Block4 No Cannot store per Requirement 3.2 1 Sensitive authentication data must not be stored after authorization (even if encrypted) 2 Full track data from the …
Modified
p. 23
SEVERITY LEVELS FOR VULNERABILITY SCANNING CVSS Score Severity Level Scan Results 7.0 through 10.0 High Severity Fail 4.0 through 6.9 Medium Severity Fail 0.0 through 3.9 Low Severity Pass “To demonstrate compliance, internal scans must not contain high-risk vulnerabilities in any component in the cardholder data environment. For external scans, none of those components may contain any vulnerability that has been assigned a Common Vulnerability Scoring System (CVSS) base score equal to or higher than 4.0.” This Guide provides supplemental …
SEVERITY LEVELS FOR VULNERABILITY SCANNING CVSS Score Scan Results 7.0 through High Severity Fail 4.0 through Severity Fail 0.0 through Low Severity Pass “To demonstrate compliance, internal scans must not contain high-risk vulnerabilities in any component in the cardholder data environment. For external scans, none of those components may contain any vulnerability that has been assigned a Common Vulnerability Scoring System (CVSS) base score equal to or higher than 4.0.” This Guide provides supplemental information that does not replace or …
Modified
p. 27
6. Remediate
• if required, perform remediation to address requirements that are not in place, and provide an updated reportHow to Comply With PCI DSS PREPARING FOR A PCI DSS ASSESSMENT Gather Documentation: Security policies, change control records, network diagrams, scan reports, system documentation, training records and so on Schedule Resources: Ensure participation of senior management, as well as a project manager and key people from IT, security, applications, human resources and legal Describe the Environment: Organize information about the …
• if required, perform remediation to address requirements that are not in place, and provide an updated report
6. Remediate
• if required, perform remediation to address requirements that are not in place, and provide an updated report PREPARING FOR A PCI DSS ASSESSMENT Gather Documentation: Security policies, change control records, network diagrams, scan reports, system documentation, training records and so on Schedule Resources: Ensure participation of senior management, as well as a project manager and key people from IT, security, applications, human resources and legal Describe the Environment: Organize information about the cardholder data environment, including cardholder data …
• if required, perform remediation to address requirements that are not in place, and provide an updated report PREPARING FOR A PCI DSS ASSESSMENT Gather Documentation: Security policies, change control records, network diagrams, scan reports, system documentation, training records and so on Schedule Resources: Ensure participation of senior management, as well as a project manager and key people from IT, security, applications, human resources and legal Describe the Environment: Organize information about the cardholder data environment, including cardholder data …
Modified
p. 30
• Identify and document the existence of all cardholder data in the environment, to verify that no cardholder data exists outside of the currently defined cardholder data environment (CDE).
• Identify and document the existence of all cardholder data in the environment, to verify that no cardholder data exists outside of the currently defined cardholder data environment (CDE). • Once all locations of cardholder data are identified and documented, verify that PCI DSS scope is appropriate (for example, the results may be a diagram or an inventory of cardholder data locations).
• Consider any cardholder data found to be in scope of the PCI DSS assessment and part of the …
• Consider any cardholder data found to be in scope of the PCI DSS assessment and part of the …
Modified
p. 30
• Retain documentation that shows how PCI DSS scope was determined. The documentation is retained for assessor review and/or for reference during the next annual PCI DSS scope confirmation activity.
If data is identified that is not currently included in the CDE, such data should be securely deleted, migrated/consolidated into the currently defined CDE, or the CDE redefined to include these data.
• Retain documentation that shows how PCI DSS scope was determined. The documentation is retained for assessor review and/or for reference during the next annual PCI DSS scope confirmation activity.
• Retain documentation that shows how PCI DSS scope was determined. The documentation is retained for assessor review and/or for reference during the next annual PCI DSS scope confirmation activity.
Modified
p. 37
PCI SSC Blog: https://blog.pcisecuritystandards.org Membership Information https://www.pcisecuritystandards.org/get_involved/join.php Webinars https://www.pcisecuritystandards.org/program_ training_and_qualification/webinars Merchant Resources: https://www.pcissc.org/merchant Training PCI Awareness: https://www.pcisecuritystandards.org/program_training_and_qualification/requirements_awareness QSA: https://www.pcisecuritystandards.org/program_training_and_qualification/qsa_certification ISA: https://www.pcisecuritystandards.org/program_training_and_qualification/internal_security_assessor_certification PCIP: https://www.pcisecuritystandards.org/program_training_and_qualification/pci_professional_qualification Other Training Programs: https://www.pcisecuritystandards.org/program_training_and_qualification
Modified
p. 37
PCI SSC approved products, solutions and providers PIN Transaction Security (PTS) Devices: https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices Payment Applications: https://www.pcisecuritystandards.org/assessors_and_solutions/vpa_agreement P2PE Solutions: https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_solutions Approved QSAs: https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors Approved ASVs: https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors
PCI SSC approved products, solutions and providers PIN Transaction Security (PTS) Devices: https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices Payment Applications: https://www.pcisecuritystandards.org/assessors_and_solutions/vpa_agreement P2PE Solutions: https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_solutions Approved QSAs: https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors Approved ASVs: https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors Qualified Integrators and Resellers: https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_integrators_and_resellers
Modified
p. 37
PCI Data Security Standard (PCI DSS) The Standard: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf Supporting Documents: https://www.pcisecuritystandards.org/document_library Self-Assessment Questionnaires: www.pcisecuritystandards.org/document_library?category=saqs#results Glossary: https://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_v3-2.pdf Web Resources 39 This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
PCI Data Security Standard (PCI DSS) The Standard: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf Supporting Documents: https://www.pcisecuritystandards.org/document_library Self-Assessment Questionnaires: www.pcisecuritystandards.org/document_library?category=saqs#results Glossary: https://www.pcisecuritystandards.org/pci_security/glossary 39 This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
Removed
p. 39
About the PCI Security Standards Council About the PCI Security Standards Council The PCI Security Standards Council (PCI SSC) is a global body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. The Council maintains, evolves, and promotes the Payment Card Industry security standards. It also provides critical tools needed for implementation of the standards such as assessment and scanning qualifications, self- assessment questionnaires, training and education, and product certification programs.
Modified
p. 39 → 38
The PCI SSC founding members, American Express, Discover, JCB International, MasterCard, and Visa Inc., have agreed to incorporate the PCI Data Security Standard as part of the technical requirements for each of their data security compliance programs. Each founding member also recognizes the Qualified Security Assessors and Approved Scanning Vendors qualified by the PCI SSC.
The Council’s founding members, American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc., have agreed to incorporate the PCI Data Security Standard (PCI DSS) as part of the technical requirements for each of their data security compliance programs. Each founding member also recognizes the Qualified Security Assessors and Approved Scanning Vendors qualified by the PCI Security Standards Council.
Modified
p. 39 → 38
All five payment card brands, along with Strategic Members, share equally in the Council’s governance, have equal input into the PCI Security Standards Council and share responsibility for carrying out the work of the organization. Other industry stakeholders are encouraged to join the Council as Strategic or Affiliate members and Participating Organizations to review proposed additions or modifications to the standards.
All five payment brands, along with Strategic Members, share equally in the Council’s governance, have equal input into the PCI Security Standards Council and share responsibility for carrying out the work of the organization. Other industry stakeholders are encouraged to join the Council as Strategic or Affiliate members and Participating Organizations to review proposed additions or modifications to the standards. Participating Organizations may include merchants, banks, processors, hardware and software developers, and point-of-sale vendors.
Modified
p. 39 → 38
PCI SSC FOUNDERS PARTICIPATING ORGANIZATIONS Merchants, Banks, Processors, Hardware and Software Developers and Point-of-Sale Vendors This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
PCI SSC FOUNDERS PARTICIPATING ORGANIZATIONS Merchants, Banks, Processors, Hardware and Software Developers and Point-of-Sale This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
Modified
p. 40 → 39
7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel