Document Comparison
PCI_SSC_Quick_Reference_Guide.pdf
→
PCIDSS_QRGv3.pdf
68% similar
34 → 40
Pages
8826 → 10708
Words
87
Content Changes
Content Changes
87 content changes. 5 administrative changes (dates, page numbers) hidden.
Added
p. 4
RISKY BEHAVIOR A survey of businesses in the U.S. and Europe reveals activities that may put cardholder data at risk. 81% store payment card numbers. 73% store payment card expiration dates. 71% store payment card verification codes. 57% store customer data on the payment card magnetic strip. 16% store other personal data.
Repair
• fixing identified vulnerabilities, securely removing any unnecessary cardholder data storage, and implementing secure business processes.
Report
•documenting assessment and remediation details, and submitting compliance reports to the acquiring bank and card brands you do business with (or other requesting entity if you’re a service provider).
PCI Security & Compliance PCI PTS Payment Applications Secure Environments PIN Entry Devices
PCI PA-DSS Ecosystem of payment devices, applications, infrastructure and users This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 7
PCI Security Standards Include: PCI Data Security Standard (PCI DSS) The PCI DSS applies to …
Repair
• fixing identified vulnerabilities, securely removing any unnecessary cardholder data storage, and implementing secure business processes.
Report
•documenting assessment and remediation details, and submitting compliance reports to the acquiring bank and card brands you do business with (or other requesting entity if you’re a service provider).
PCI Security & Compliance PCI PTS Payment Applications Secure Environments PIN Entry Devices
PCI PA-DSS Ecosystem of payment devices, applications, infrastructure and users This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 7
PCI Security Standards Include: PCI Data Security Standard (PCI DSS) The PCI DSS applies to …
Added
p. 10
• JCB International: http://partner.jcbcard.com/security/jcbprogram/
• the primary account number printed on the front of a payment card. Merchants, service providers, and other entities involved with payment card processing must never store sensitive authentication data after authorization. This includes the 3- or 4- digit security code printed on the front or back of a card, the data stored on a card’s magnetic stripe or chip (also called “Full Track Data”)
Requirement 1: Install and maintain a firewall configuration to protect cardholder data Firewalls are devices that control computer traffic allowed into and out of an organization’s network, and into sensitive areas within its internal network. Firewall functionality can also appear in other system components. Routers are hardware or software that connects two or more networks. All such networking devices are in scope for assessment of Requirement 1 if used within the cardholder data environment. 1.1 Establish and implement firewall and router configuration standards …
• the primary account number printed on the front of a payment card. Merchants, service providers, and other entities involved with payment card processing must never store sensitive authentication data after authorization. This includes the 3- or 4- digit security code printed on the front or back of a card, the data stored on a card’s magnetic stripe or chip (also called “Full Track Data”)
Requirement 1: Install and maintain a firewall configuration to protect cardholder data Firewalls are devices that control computer traffic allowed into and out of an organization’s network, and into sensitive areas within its internal network. Firewall functionality can also appear in other system components. Routers are hardware or software that connects two or more networks. All such networking devices are in scope for assessment of Requirement 1 if used within the cardholder data environment. 1.1 Establish and implement firewall and router configuration standards …
Added
p. 16
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs Malicious software (a.k.a “malware”) exploits system vulnerabilities after entering the network via users’ e-mail and other online business activities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats.
This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 17 Additional anti-malware solutions may supplement (but not replace) anti-virus software.
This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 17 Additional anti-malware solutions may supplement (but not replace) anti-virus software.
Added
p. 18
Implement Strong Access Control Measures Access-controls allow merchants to permit or deny the use of physical or technical means to access PAN and other cardholder data. Access must be granted on a business need-to-know basis. Physical access controls entail the use of locks or other means to restrict access to computer media, paper-based records or system hardware. Logical access controls permit or deny use of payment devices, wireless networks, PCs and other computing devices, and also controls access to digital files containing cardholder data.
Restrict Access to Cardholder Data Environments by employing access controls Limit access to only those individuals whose job requires such access Formalize an access control policy that includes a list of who gets access to specified cardholder data and systems Deny all access to anyone who is not specifically allowed to access cardholder data and systems Photo: Wikimedia Commons This Guide provides supplemental information that does not …
Restrict Access to Cardholder Data Environments by employing access controls Limit access to only those individuals whose job requires such access Formalize an access control policy that includes a list of who gets access to specified cardholder data and systems Deny all access to anyone who is not specifically allowed to access cardholder data and systems Photo: Wikimedia Commons This Guide provides supplemental information that does not …
Added
p. 19
Requirement 8: Identify and authenticate access to system components Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. Requirements apply to all accounts, including point of sale accounts, with administrative capabilities and all accounts with access to stored cardholder data.
Added
p. 19
IDENTIFY AND AUTHENTICATE ALL USERS Every user with access to the Cardholder Data Environment must have a unique ID. This allows a business to trace every action to a specific individual. Every user should have a strong password for authentication.
Added
p. 20
PHYSICALLY SECURE THE PAYMENT SYSTEM Businesses must physically secure or restrict access to printouts of cardholder data, to media where it is stored, and devices used for accessing or storing cardholder data. It’s important to understand that PCI is about protecting both electronic data and paper receipts as well.
Illustration: Wikimedia Commons This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 21 “Visitors” are vendors and guests that enter the facility for a short duration - usually up to one day. “Media” is all paper and electronic media containing cardholder data.
Illustration: Wikimedia Commons This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 21 “Visitors” are vendors and guests that enter the facility for a short duration - usually up to one day. “Media” is all paper and electronic media containing cardholder data.
Added
p. 22
Photo: Wikimedia Commons This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 23 10.6 Review logs and security events for all system components to identify anomalies or suspicious activity. Perform critical log reviews at least daily. 10.7 Retain audit trail history for at least one year; at least three months of history must be immediately available for analysis. 10.8 Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.
Added
p. 24
Requirement 12: Maintain a policy that addresses information security for all personnel 12.1 Establish, publish, maintain, and disseminate a security policy; review the security policy at least annually and update when the environment changes.
“With version 3.0, PCI DSS is more mature than ever, and covers a broad base of technologies and processes such as encryption, access control, and vulnerability scanning to offer a sound baseline of security. The range of supporting standards, roadmaps, guidance, and methodologies is expanding. And our research suggests that organizations are complying at a higher rate than in previous years.” (2014 Verizon PCI Compliance Report) This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 25 12.2 Implement a risk assessment process that is performed at least annually and upon significant changes to the environment that identifies critical assets, threats, and vulnerabilities, and results in a formal …
“With version 3.0, PCI DSS is more mature than ever, and covers a broad base of technologies and processes such as encryption, access control, and vulnerability scanning to offer a sound baseline of security. The range of supporting standards, roadmaps, guidance, and methodologies is expanding. And our research suggests that organizations are complying at a higher rate than in previous years.” (2014 Verizon PCI Compliance Report) This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 25 12.2 Implement a risk assessment process that is performed at least annually and upon significant changes to the environment that identifies critical assets, threats, and vulnerabilities, and results in a formal …
Added
p. 27
3. Reporting
• assessor and/or entity submits required documentation (e.g. Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC), including documentation of all compensating controls
4. Clarifications
• assessor and/or entity clarifies/updates report statements (if applicable) upon request of the acquiring bank or payment card brand How to Comply With PCI DSS PREPARING FOR A PCI DSS ASSESSMENT Gather Documentation: Security policies, change control records, network diagrams, scan reports, system documentation, training records and so on Schedule Resources: Ensure participation of senior management, as well as a project manager and key people from IT, security, applications, human resources and legal Describe the Environment: Organize information about the cardholder data environment, including cardholder data flow and location of cardholder data repositories Photo: Wikimedia Commons This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
• assessor and/or entity submits required documentation (e.g. Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC), including documentation of all compensating controls
4. Clarifications
• assessor and/or entity clarifies/updates report statements (if applicable) upon request of the acquiring bank or payment card brand How to Comply With PCI DSS PREPARING FOR A PCI DSS ASSESSMENT Gather Documentation: Security policies, change control records, network diagrams, scan reports, system documentation, training records and so on Schedule Resources: Ensure participation of senior management, as well as a project manager and key people from IT, security, applications, human resources and legal Describe the Environment: Organize information about the cardholder data environment, including cardholder data flow and location of cardholder data repositories Photo: Wikimedia Commons This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
Added
p. 28
• JCB International: http://partner.jcbcard.com/security/jcbprogram
• Produce the final report ISA PROGRAM The PCI SSC Internal Security Assessor (ISA) Program provides an opportunity for eligible internal security assessment professionals of qualifying organizations to receive PCI DSS training and qualification that will improve the organization’s understanding of the PCI DSS, facilitate the organization’s interactions with QSAs, enhance the quality, reliability, and consistency of the organization’s internal PCI DSS self-assessments, and support the consistent and proper application of PCI DSS measures and controls. Please see the PCI SSC web site for details
• www.pcisecuritystandards.org/ approved_companies_providers/ internal_security_assessors.php This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 29 The QSA you select should have solid understanding of your business and have experience in assessing the security of similar organizations. That knowledge helps the QSA to understand business sector- specific nuances of securing cardholder data under PCI DSS. …
• Produce the final report ISA PROGRAM The PCI SSC Internal Security Assessor (ISA) Program provides an opportunity for eligible internal security assessment professionals of qualifying organizations to receive PCI DSS training and qualification that will improve the organization’s understanding of the PCI DSS, facilitate the organization’s interactions with QSAs, enhance the quality, reliability, and consistency of the organization’s internal PCI DSS self-assessments, and support the consistent and proper application of PCI DSS measures and controls. Please see the PCI SSC web site for details
• www.pcisecuritystandards.org/ approved_companies_providers/ internal_security_assessors.php This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 29 The QSA you select should have solid understanding of your business and have experience in assessing the security of similar organizations. That knowledge helps the QSA to understand business sector- specific nuances of securing cardholder data under PCI DSS. …
Added
p. 31
Sampling of Business Facilities and System Components Sampling is an option for assessors to facilitate the assessment process where there are large numbers of system components. While it is acceptable for an assessor to sample systems as part of their review of an entity’s PCI DSS compliance, it is not acceptable for an entity to apply PCI DSS requirements to only a sample of their CDE, or for an assessor to only review a sample of PCI DSS requirements for compliance. The assessor may independently select representative samples of business facilities and system components to assess the entity’s compliance with PCI DSS requirements. Sampling is not required by PCI DSS. Sampling does not reduce scope of the cardholder data environment or the applicability of PCI DSS requirements. If sampling is used, each sample must be assessed against all applicable PCI DSS requirements. Samples must be sufficiently large to provide the …
Added
p. 33
This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 33 Using the Self-Assessment Questionnaire The “SAQ” is a validation tool for merchants and service providers to report the results of their PCI DSS self-assessment, if they are not required to submit a Report on Compliance (ROC). The SAQ includes a series of yes-or-no questions for each applicable PCI DSS requirement. If an answer is no, the organization may be required to state the future remediation date and associated actions. There are different SAQs available to meet different merchant environments. If you are not sure which SAQ would apply to you, contact your acquiring bank or payment card brand for assistance. The PCI DSS SAQ Instructions and Guidelines document provides more details on each SAQ type (see www.pcisecuritystandards.org).
SAQ Description A Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder …
SAQ Description A Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder …
Added
p. 34
C-VT Merchants who manually enter a single transaction at a time via a keyboard into an Internet- based virtual terminal solution that is provided and hosted by a PCI DSS validated third- party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.
C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels.
P2PE-HW Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels.
D SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types. SAQ D for Service Providers: All service providers defined by a payment card brand as eligible to complete a SAQ.
This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 35 Reports are …
C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels.
P2PE-HW Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels.
D SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types. SAQ D for Service Providers: All service providers defined by a payment card brand as eligible to complete a SAQ.
This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 35 Reports are …
Added
p. 36
1. Monitoring of security controls to ensure they are operating effectively and as intended.
2. Ensuring that all failures in security controls are detected and responded to in a timely manner.
3. Reviewing changes to the environment (for example, addition of new systems, changes in system or network configurations) prior to completion of the change to ensure PCI DSS scope is updated and controls are applied as appropriate.
4. Changes to organization structure (for example, a company merger or acquisition) resulting in a formal review of the impact to PCI DSS scope and requirements.
5. Performing periodic reviews and communications to confirm that PCI DSS requirements continue to be in place and personnel are following secure processes.
6. Reviewing hardware and software technologies at least annually to confirm that they continue to be supported by the vendor and can meet the entity’s security requirements, including PCI DSS, and remediating shortcomings as appropriate.
Entities may also consider …
2. Ensuring that all failures in security controls are detected and responded to in a timely manner.
3. Reviewing changes to the environment (for example, addition of new systems, changes in system or network configurations) prior to completion of the change to ensure PCI DSS scope is updated and controls are applied as appropriate.
4. Changes to organization structure (for example, a company merger or acquisition) resulting in a formal review of the impact to PCI DSS scope and requirements.
5. Performing periodic reviews and communications to confirm that PCI DSS requirements continue to be in place and personnel are following secure processes.
6. Reviewing hardware and software technologies at least annually to confirm that they continue to be supported by the vendor and can meet the entity’s security requirements, including PCI DSS, and remediating shortcomings as appropriate.
Entities may also consider …
Modified
p. 2
This Quick Reference Guide to the PCI Data Security Standard is provided by the PCI Security Standards Council to inform and educate merchants and other entities that process, store or transmit cardholder data. For more information about the PCI SSC and the standards we manage, please visit www.pcisecuritystandards.org.
This Quick Reference Guide to the PCI Data Security Standard (PCI DSS) is provided by the PCI Security Standards Council (PCI SSC) to inform and educate merchants and other entities involved in payment card processing. For more information about the PCI SSC and the standards we manage, please visit www.pcisecuritystandards.org.
Modified
p. 2
August 2014 3 This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
Modified
p. 4
It’s a serious problem
• more than510 million records with sensitive information have been breached since January 2005, according to PrivacyRights.org. As a merchant, you are at the center of payment card transactions so it is imperative that you use standard security procedures and technologies to thwart theft of cardholder data.
• more than
It’s a serious problem
• more than 868 million records with sensitive information have been breached between January 2005 and June 2014, according to PrivacyRights.org. As you are a key participant in payment card transactions, it is imperative that you use standard security procedures and technologies to thwart theft of cardholder data.
• more than 868 million records with sensitive information have been breached between January 2005 and June 2014, according to PrivacyRights.org. As you are a key participant in payment card transactions, it is imperative that you use standard security procedures and technologies to thwart theft of cardholder data.
Modified
p. 4
Merchant-based vulnerabilities may appear almost anywhere in the card-processing ecosystem including point-of-sale devices; personal computers or servers; wireless hotspots or Web shopping applications; in paper-based storage systems; and unsecured transmission of cardholder data to service providers. Vulnerabilities may even extend to systems operated by service providers and acquirers, which are the financial institutions that initiate and maintain the relationships with merchants that accept payment cards (see diagram on page 5).
Merchant-based vulnerabilities may appear almost anywhere in the card-processing ecosystem including point-of-sale devices; mobile devices, personal computers or servers; wireless hotspots; web shopping applications; paper-based storage systems; the transmission of cardholder data to service providers, and in remote access connections. Vulnerabilities may also extend to systems operated by service providers and acquirers, which are the financial institutions that initiate and maintain the relationships with merchants that accept payment cards (see diagram on page 5).
Modified
p. 4
Compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) helps to alleviate these vulnerabilities and protect cardholder data.
Compliance with the PCI DSS helps to alleviate these vulnerabilities and protect cardholder data.
Modified
p. 4
Source: Forrester Consulting: The State of PCI Compliance (commissioned by RSA/EMC) This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 5 The intent of this PCI DSS Quick Reference Guide is to help you understand how the PCI DSS can help protect your payment card transaction environment and how to apply it.
Removed
p. 5
• fixing vulnerabilities and not storing cardholder data unless you need it. Report
• compiling and submitting required remediation validation records (if applicable), and submitting compliance reports to the acquiring bank and card brands you do business with.
• compiling and submitting required remediation validation records (if applicable), and submitting compliance reports to the acquiring bank and card brands you do business with.
Modified
p. 5
There are three ongoing steps for adhering to the PCI DSS: Assess
There are three ongoing steps for adhering to the PCI DSS:
Modified
p. 5
• identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data. Remediate
Assess
• identifying all locations of cardholder data, taking an inventory of your IT assets and business processes for payment card processing and analyzing them for vulnerabilities that could expose cardholder data.
• identifying all locations of cardholder data, taking an inventory of your IT assets and business processes for payment card processing and analyzing them for vulnerabilities that could expose cardholder data.
Modified
p. 5
PCI DSS follows common sense steps that mirror best security practices. The DSS globally applies to all entities that store, process or transmit cardholder data. PCI DSS and related security standards are administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Participating Organizations include merchants, payment card issuing banks, processors, developers and other vendors.
PCI DSS follows common-sense steps that mirror security best practices. The PCI DSS globally applies to all entities that store, process or transmit cardholder data and/or sensitive authentication data. PCI DSS and related security standards are administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Participating Organizations include merchants, payment card issuing banks, processors, developers and other vendors.
Removed
p. 6
PCI PA-DSS PCI DSS Ecosystem of payment devices, applications, infrastructure and users This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 7
Modified
p. 6
PCI security standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all entities that store, process or transmit cardholder data
• withguidance for software developers and manufacturers of applications and devices used in those transactions. The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council, American Express, Discover Financial Services, …
• with
PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all entities that store, process or transmit cardholder data
• with requirements for software developers and manufacturers of applications and devices used in those transactions. The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council, American Express, Discover Financial Services, …
• with requirements for software developers and manufacturers of applications and devices used in those transactions. The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council, American Express, Discover Financial Services, …
Modified
p. 6
PAYMENT CARD INDUSTRY SECURITY STANDARDS Protection of Cardholder Payment Data MANUFACTURERS SOFTWARE DEVELOPERS MERCHANTS & SERVICE PROVIDERS PCI SECURITY STANDARDS & COMPLIANCE PCI PTS Payment Application Vendors Data Security Standard PIN Transaction Security
PAYMENT CARD INDUSTRY SECURITY STANDARDS Protection of Cardholder Payment Data Manufacturers Software Developers Merchants & Service Providers
Removed
p. 7
PCI Data Security Standard (DSS) The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS.
PIN Transaction Security (PTS) Requirements The PCI PTS (formerly PCI PED) is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities. The requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it. Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC (www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php).
PIN Transaction Security (PTS) Requirements The PCI PTS (formerly PCI PED) is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities. The requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it. Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC (www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php).
Modified
p. 8 → 9
PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data. It consists of common sense steps that mirror security best practices.
PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data. It consists of steps that mirror security best practices.
Modified
p. 8 → 9
Goals PCI DSS Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. …
Goals PCI DSS Requirements Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti- virus software or programs 6. Develop and maintain secure systems and …
Removed
p. 9
• Discover Financial Services:
• www.jcb-global.com/english/pci/index.html
• MasterCard Worldwide:
• www.visa.com/cisp Visa Europe:
• www.jcb-global.com/english/pci/index.html
• MasterCard Worldwide:
• www.visa.com/cisp Visa Europe:
Modified
p. 9 → 10
• www.americanexpress.com/datasecurity
• American Express: www.americanexpress.com/datasecurity
Modified
p. 9 → 10
• www.discovernetwork.com/fraudsecurity/disc.html
• Discover: www.discovernetwork.com/fraudsecurity/disc.html
Modified
p. 9 → 10
• www.mastercard.com/sdp
• MasterCard: www.mastercard.com/sdp
Modified
p. 9 → 10
• www.visaeurope.com/ais Qualified Assessors. The Council manages programs that will help facilitate the assessment of compliance with PCI DSS: Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). QSAs are approved by the Council to assess compliance with the PCI DSS. ASVs are approved by the Council to validate adherence to the PCI DSS scan requirements by performing vulnerability scans of Internet- facing environments of merchants and service providers. The Council also provides PCI DSS training for Internal Security Assessors …
• Visa Inc: www.visa.com/cisp Visa Europe: www.visaeurope.com/ais Qualified Assessors. The Council manages programs that will help facilitate the assessment of compliance with PCI DSS: Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). QSAs are approved by the Council to assess compliance with the PCI DSS. ASVs are approved by the Council to validate adherence to the PCI DSS scan requirements by performing vulnerability scans of Internet-facing environments of merchants and service providers. The Council also provides PCI DSS training …
Modified
p. 10 → 11
This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
CID (American Express) Expiration Date Magnetic Stripe (data on tracks 1 & 2) CAV2/CID/CVC2/CVV2 (all other payment card brands) Types of Data on a Payment Card Cardholder Name This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
Removed
p. 11
• the primary account number printed on the front of a payment card. Merchants and any other service providers involved with payment card processing must never store sensitive authentication data after authorization. This includes sensitive data that is printed on a card, or stored on a card’s magnetic stripe or chip
CID (American Express) Expiration Date Magnetic Stripe (data on tracks 1 & 2) CAV2/CID/CVC2/CVV2 (Discover, JCB, MasterCard, Visa) Types of Data on a Payment Card This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
CID (American Express) Expiration Date Magnetic Stripe (data on tracks 1 & 2) CAV2/CID/CVC2/CVV2 (Discover, JCB, MasterCard, Visa) Types of Data on a Payment Card This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
Modified
p. 11
This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 11 Security Controls and Processes for PCI DSS Requirements Security Controls and Processes for PCI DSS Requirements The goal of the PCI Data Security Standard (PCI DSS) is to protect cardholder data wherever it is processed, stored or transmitted. The security controls and processes required by PCI DSS are vital for protecting cardholder account data, including the PAN
This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 11 Security Controls and Processes for PCI DSS Requirements Security Controls and Processes for PCI DSS Requirements The goal of the PCI Data Security Standard (PCI DSS) is to protect cardholder data and sensitive authentication data wherever it is processed, stored or transmitted. The security controls and processes required by PCI DSS are vital for protecting all payment card account data, …
Modified
p. 11
• and personal identification numbers entered by the cardholder. This chapter presents the objectives of PCI DSS and related 12 requirements.
• and personal identification numbers (PIN) entered by the cardholder. This chapter presents the objectives of PCI DSS and related 12 requirements.
Removed
p. 12
Requirement 1: Install and maintain a firewall and router configuration to protect cardholder data Firewalls are devices that control computer traffic allowed into and out of an organization’s network, and into sensitive areas within its internal network. Firewall functionality may also appear in other system components. Routers are hardware or software that connects two or more networks. All such devices are in scope for assessment of Requirement 1 if used within the cardholder data environment.
Modified
p. 13
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters The easiest way for a hacker to access your internal network is to try default passwords or exploits based on default system software settings in your payment card infrastructure. Far too often, merchants do not change default passwords or settings upon deployment. This is akin to leaving your store physically unlocked when you go home for the night. Default passwords and settings for most network devices …
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters The easiest way for a hacker to access your internal network is to try default passwords or exploits based on default system software settings in your payment card infrastructure. Far too often, merchants do not change default passwords or settings upon deployment. This is similar to leaving your store physically unlocked when you go home for the night. Default passwords and settings for most network devices …
Modified
p. 14
Requirement 3: Protect stored cardholder data In general, no cardholder data should ever be stored unless it’s necessary to meet the needs of the business. Sensitive data on the magnetic stripe or chip must never be stored. If your organization stores PAN, it is crucial to render it unreadable (see 3.4, and table below for guidelines). 3.1 Limit cardholder data storage and retention time to that required for business, legal, and/or regulatory purposes, as documented in your data retention policy. …
Requirement 3: Protect stored cardholder data Cardholder data should not be stored unless it’s necessary to meet the needs of the business. Sensitive data on the magnetic stripe or chip must never be stored after authorization. If your organization stores PAN, it is crucial to render it unreadable (see 3.4, and table below for guidelines). 3.1 Limit cardholder data storage and retention time to that which is required for business, legal, and/ or regulatory purposes, as documented in your data …
Modified
p. 14
Illustration: Wikimedia Commons This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 15 3.5 Protect any keys used for encryption of cardholder data from disclosure and misuse.
Illustration: Wikimedia Commons This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 15 3.5 Document and implement procedures to protect any keys used for encryption of cardholder data from disclosure and misuse. 3.6 Fully document and implement key management processes and procedures for cryptographic keys used for encryption of cardholder data. 3.7 Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.
Modified
p. 15
Guidelines for Cardholder Data Elements Data Element Storage Permitted Render Stored Account Data Unreadable per Requirement 3.4 Account Data Cardholder Data Primary Account Number (PAN) Yes Yes Cardholder Name Yes No Service Code Yes No Expiration Date Yes No Sensitive Authentication Data1 Full Magnetic Stripe Data2 No Cannot store per Requirement 3.2 CAV2/CVC2/CVV2/CID No Cannot store per Requirement 3.2 PIN/PIN Block No Cannot store per Requirement 3.2 1 Sensitive authentication data must not be stored after authorisation (even if encrypted).
Guidelines for Cardholder Data Elements Data Element Storage Permitted Render Stored Data Unreadable per Requirement 3.4 Cardholder Data Primary Account Number (PAN) Yes Yes Cardholder Name Yes No Service Code Yes No Expiration Date Yes No Sensitive Authentication Data1 Full Track Data2 No Cannot store per Requirement 3.2 CAV2/CVC2/CVV2/CID3 No Cannot store per Requirement 3.2 PIN/PIN Block4 No Cannot store per Requirement 3.2 1 Sensitive authentication data must not be stored after authorization (even if encrypted) 2 Full track data …
Removed
p. 16
Requirement 5: Use and regularly update anti-virus software or programs Many vulnerabilities and malicious viruses enter the network via users’ e-mail and other online activities. Anti-virus software must be used on all systems affected by malware to protect systems from current and evolving malicious software threats.
Removed
p. 16
VULNERABILITY MANAGEMENT Create policy governing security controls according to industry standard best practices (e.g., IEEE 802.11i) Regularly scan systems for vulnerabilities Create remediation schedule based on risk and priority Pre-test and deploy patches Rescan to verify compliance Update security software with the most current signatures and technology Use only software or systems that were securely developed by industry standard best practices This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 17
Removed
p. 18
Requirement 7: Restrict access to cardholder data by business need to know To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. Need to know is when access rights are granted to only the least amount of data and privileges needed to perform a job.
Removed
p. 18
Requirement 8: Assign a unique ID to each person with computer access Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. Requirements apply to all accounts, including point of sale accounts, with administrative capabilities and all accounts with access to stored cardholder data.
Removed
p. 18
Restrict Access to Cardholder Data Environments by employing access controls such as RBAC (Role Based Access Control) Limit access to only those individuals whose job requires such access Formalize an access control policy that includes a list of who gets access to specified cardholder data and systems Deny all access to anyone who is not specifically allowed to access cardholder data and systems Photo: Wikimedia Commons This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 19 8.2 Employ at least one of these to authenticate all users: something you know, such as a password or passphrase; something you have, such as a token device or smart card; or something you are, such as a biometric.
Removed
p. 19
Requirement 9: Restrict physical access to cardholder data Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted. “Onsite personnel” are full- and part-time employees, temporary employees, contractors, and consultants who are physically present on the entity’s premises. “Visitors” are vendors and guests that enter the facility for a short duration - usually up to one day. “Media” is all paper and electronic media containing cardholder data.
Removed
p. 19
GIVE EVERY USER A UNIQUE ID Every user with access to the Cardholder Data Environment must have a unique ID. This allows a business to trace every action to a specific individual.
Removed
p. 20
PHYSICALLY SECURE THE PAYMENT SYSTEM Businesses must physically secure or restrict access to printouts of cardholder data, to media where it is stored, and to devices used for accessing or storing cardholder data. It’s important to understand that PCI DSS is about protecting both electronic data and paper receipts as well.
Modified
p. 20 → 27
This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 27 How to Comply with PCI DSS
Removed
p. 22
SEVERITY LEVELS FOR VULNERABILITY SCANNING CVSS Score Severity Level Scan Results 7.0 through 10.0 High Severity Fail 4.0 through 6.9 Medium Severity Fail 0.0 through 3.9 Low Severity Pass “To demonstrate compliance, a scan must not contain high- level vulnerabilities in any component in the cardholder data environment. Generally, to be considered compliant, none of those components may contain any vulnerability that has been assigned a Common Vulnerability Scoring System (CVSS) base score equal to or higher than 4.0.” This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 23 Maintain an Information Security Policy A strong security policy sets the tone for security affecting an organization’s entire company, and it informs employees of their expected duties related to security. All employees should be aware of the sensitivity of cardholder data and their responsibilities for protecting it.
Requirement 12: Maintain a policy …
Requirement 12: Maintain a policy …
Removed
p. 23
“PCI DSS represents the best available framework to guide better protection of cardholder data. It also presents an opportunity to leverage cardholder data security achieved through PCI DSS compliance for better protection of other sensitive business data
• and to address compliance with other standards and regulations.” AberdeenGroup IT Industry Analyst This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
• and to address compliance with other standards and regulations.” AberdeenGroup IT Industry Analyst This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
Removed
p. 25
3. Compensating Controls
• assessor validates alternative control technologies/processes
4. Reporting
• assessor and/or entity submits required documentation
5. Clarifications
• assessor and/or entity clarifies/updates report statements (if applicable) upon request of the acquiring bank or payment card brand How to Comply With PCI DSS This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
• assessor validates alternative control technologies/processes
4. Reporting
• assessor and/or entity submits required documentation
5. Clarifications
• assessor and/or entity clarifies/updates report statements (if applicable) upon request of the acquiring bank or payment card brand How to Comply With PCI DSS This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
Modified
p. 25 → 27
PCI DSS applies to merchants and other entities that store, process, and/or transmit cardholder data. While the Council is responsible for managing the data security standards, each payment card brand maintains its own separate compliance enforcement programs. Each payment card brand has defined specific requirements for compliance validation and reporting, such as provisions for performing self- assessments and when to engage a QSA.
Modified
p. 25 → 27
1. PCI DSS Scoping
• determinewhat system components are governed by PCI DSS
• determine
1. PCI DSS Scoping
• determine which system components and networks are in scope for PCI DSS
• determine which system components and networks are in scope for PCI DSS
Modified
p. 25 → 27
2. Assessing
• examine the compliance of system components in scope
• examine the compliance of system components in scope
2. Assessing
• examine the compliance of system components in scope following the testing procedures for each PCI DSS requirement
• examine the compliance of system components in scope following the testing procedures for each PCI DSS requirement
Removed
p. 26
• Discover Financial Services:
• www.jcb-global.com/english/pci/index.html
• MasterCard Worldwide:
• www.visa.com/cisp Visa Europe:
• www.jcb-global.com/english/pci/index.html
• MasterCard Worldwide:
• www.visa.com/cisp Visa Europe:
Removed
p. 26
• Ensure adherence to the PCI DSS Security Assessment Procedures
• Select systems and system components where sampling is employed
• Produce the final report PREPARING FOR A PCI DSS ASSESSMENT Gather Documentation: Security policies, change control records, operational procedures, network diagrams, PCI DSS letters and notifications Schedule Resources: Ensure participation of a project manager and key people from IT, security applications, business operations, human resources and legal Describe the Environment: Organize information about the cardholder data environment, including cardholder data flows and locations of cardholder data repositories This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 27 The QSA you select should have solid understanding of your business and have experience in assessing the security of similar organizations. That knowledge helps the QSA to understand business sector- specific nuances of securing cardholder data under PCI DSS. Also, look for a good …
• Select systems and system components where sampling is employed
• Produce the final report PREPARING FOR A PCI DSS ASSESSMENT Gather Documentation: Security policies, change control records, operational procedures, network diagrams, PCI DSS letters and notifications Schedule Resources: Ensure participation of a project manager and key people from IT, security applications, business operations, human resources and legal Describe the Environment: Organize information about the cardholder data environment, including cardholder data flows and locations of cardholder data repositories This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 27 The QSA you select should have solid understanding of your business and have experience in assessing the security of similar organizations. That knowledge helps the QSA to understand business sector- specific nuances of securing cardholder data under PCI DSS. Also, look for a good …
Modified
p. 26 → 28
• www.americanexpress.com/datasecurity
• American Express: www.americanexpress.com/datasecurity
Modified
p. 26 → 28
• www.discovernetwork.com/fraudsecurity/disc.html
• Discover: www.discovernetwork.com/fraudsecurity/disc.html
Modified
p. 26 → 28
• www.mastercard.com/sdp
• MasterCard: www.mastercard.com/sdp
Modified
p. 26 → 28
• www.visaeurope.com/ais Choosing a Qualified Security Assessor A Qualified Security Assessor (QSA) is a data security firm that has been trained and is certified by the PCI Security Standards Council to perform on-site security assessments for verification of compliance with PCI DSS. The QSA will:
• Visa Inc: www.visa.com/cisp Visa Europe: www.visaeurope.com/ais Choosing a Qualified Security Assessor A Qualified Security Assessor (QSA) is a data security firm that is qualified by the PCI Security Standards Council to perform on-site PCI DSS assessments. The QSA will:
Modified
p. 26 → 28
• Be onsite for the validation of the assessment or duration as required
• Be onsite for the duration of the assessment as required
Modified
p. 26 → 28
• Review the work product that supports the PCI DSS Requirements and Security Assessment Procedures
• Adhere to the PCI DSS Security Assessment Procedures
Removed
p. 27
An ASV scanning solution includes the scanning tool(s), the associated scanning report, and the process for exchanging information between the scanning vendor and the customer. ASVs may submit compliance reports to the acquiring institution on behalf of a merchant or service provider. A list of ASVs is available at www.pcisecuritystandards.org/approved_companies_providers/approved_ scanning_vendors.php.
ISA Program The PCI SSC Internal Security Assessor (ISA) Program provides an opportunity for eligible internal security assessment professionals of qualifying organizations to receive PCI DSS training and certification that will improve the organization’s understanding of the PCI DSS, facilitate the organization’s interactions with QSAs, enhance the quality, reliability, and consistency of the organization’s internal PCI DSS self-assessments, and support the consistent and proper application of PCI DSS measures and controls.
ISA Program The PCI SSC Internal Security Assessor (ISA) Program provides an opportunity for eligible internal security assessment professionals of qualifying organizations to receive PCI DSS training and certification that will improve the organization’s understanding of the PCI DSS, facilitate the organization’s interactions with QSAs, enhance the quality, reliability, and consistency of the organization’s internal PCI DSS self-assessments, and support the consistent and proper application of PCI DSS measures and controls.
Modified
p. 27 → 29
Choosing an Approved Scanning Vendor An Approved Scanning Vendor (ASV) is a data security firm using a scanning solution to determine whether or not the customer is compliant with the PCI DSS external vulnerability scanning requirement. ASVs have been trained and are qualified by the PCI Security Standards Council to perform external network and system scans as required by the PCI DSS. An ASV may use its own software or an approved commercial or open source solution to validate compliance. …
Choosing an Approved Scanning Vendor An Approved Scanning Vendor (ASV) is a data security firm using a scanning solution to determine whether or not the customer meets the PCI DSS external vulnerability scanning requirement. ASVs are qualified by the PCI Security Standards Council to perform external network and system scans as required by the PCI DSS. An ASV may use its own software or an approved commercial or open source solution. ASV solutions must be non-disruptive to customers’ systems and …
Modified
p. 27 → 30
• www. pcisecuritystandards.org/ approved_companies_providers/ internal_security_assessors.php
This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
Modified
p. 28 → 30
• The entity considers any cardholder data found to be in scope of the PCI DSS assessment and part of the CDE unless such data is deleted or migrated/consolidated into the currently defined CDE.
• The entity considers any cardholder data found to be in scope of the PCI DSS assessment and part of the CDE. If the entity identifies data that is not currently included in the CDE, such data should be securely deleted, migrated/consolidated into the currently defined CDE, or the CDE redefined to include these data.
Modified
p. 28 → 30
• The entity retains documentation that shows how PCI DSS scope was confirmed and the results, for assessor review and/or for reference during the next annual PCI SCC scope confirmation activity.
• The entity retains documentation that shows how PCI DSS scope was determined. The documentation is retained for assessor review and/or for reference during the next annual PCI DSS scope confirmation activity.
Removed
p. 29
Sampling of Business Facilities and System Components The assessor may independently select representative examples of business facilities and system components to assess PCI DSS requirements. This practice, called sampling, is not required by PCI DSS. Sampling must follow rules and processes defined in PCI DSS. Sampling does not reduce scope of the cardholder data environment or the applicability of PCI DSS requirements. If sampling is used, each sample must be assessed against all applicable PCI DSS requirements. Sampling of the PCI DSS requirements themselves is not permitted. For more information on sampling, see PCI DSS Appendix D: Segmentation and Sampling of Business Facilities/System Components.
Compensating Controls On an annual basis, any compensating controls must be documented, reviewed, and validated by the assessor and included with the Report on Compliance. For more information on compensating controls, see PCI DSS Appendix B: Compensating Controls and Appendix C: Compensating Controls Worksheet.
Compensating Controls On an annual basis, any compensating controls must be documented, reviewed, and validated by the assessor and included with the Report on Compliance. For more information on compensating controls, see PCI DSS Appendix B: Compensating Controls and Appendix C: Compensating Controls Worksheet.
Modified
p. 29 → 31
This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 29 Network Segmentation Scope can be reduced with the use of segmentation, which isolates the cardholder data environment from the remainder of an entity’s network. Reduction of scope can lower the cost of the PCI DSS assessment, lower the cost and difficulty of implementing and maintaining PCI DSS controls, and reduce risk for the entity. For more information on scoping, see …
This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 31 Network Segmentation Scope can be reduced with the use of segmentation, which isolates the cardholder data environment from the remainder of an entity’s network. Reduction of scope can lower the cost of the PCI DSS assessment, lower the cost and difficulty of implementing and maintaining PCI DSS controls, and reduce risk for the entity. To be considered out of scope …
Removed
p. 30
SAQ Description A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial- out terminal merchants with no electronic cardholder data storage C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment card brand as eligible to complete an SAQ This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 31 Web Resources Reports are the official mechanism by which merchants and other entities verify compliance with PCI DSS to their respective acquiring financial institutions or payment card brand. Depending on payment card …
B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial- out terminal merchants with no electronic cardholder data storage C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment card brand as eligible to complete an SAQ This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 31 Web Resources Reports are the official mechanism by which merchants and other entities verify compliance with PCI DSS to their respective acquiring financial institutions or payment card brand. Depending on payment card …
Modified
p. 31 → 35
Information Contained in PCI DSS Report on Compliance The template for an entity’s annual Report on Compliance includes the following:
Information Contained in PCI DSS Report on Compliance The template for an entity’s annual Report on Compliance is available on the PCI SSC Website, and includes the following:
Modified
p. 31 → 35
6. Findings and Observations (detailed findings on each requirement and sub-requirement, including explanations of all N/A responses and validation of all compensating controls) COMPLIANCE PROGRAM Assess your network and IT resources for vulnerabilities. You should constantly monitor access and usage of cardholder data. Log data must be available for analysis You must fix vulnerabilities that threaten unauthorized access to cardholder data Report compliance and present evidence that data protection controls are in place This Guide provides supplemental information that does …
Modified
p. 32 → 37
PCI Security Standards Council Web site, including Frequently Asked Questions (FAQs): www.pcisecuritystandards.org Membership Information www.pcisecuritystandards.org/get_involved/join.php Webinars www.pcisecuritystandards.org/news_events/events.shtml Training (for assessors) QSAs: www.pcisecuritystandards.org/training/qsa_training.php PA-DSS: www.pcisecuritystandards.org/training/pa-dss_training.php
PCI Security Standards Council Web site, including Frequently Asked Questions (FAQs): www.pcisecuritystandards.org Membership Information www.pcisecuritystandards.org/get_involved/join.php Webinars www.pcisecuritystandards.org/news_events/events.shtml Training QSA: www.pcisecuritystandards.org/training/qsa_training.php PA-QSA: www.pcisecuritystandards.org/training/pa-dss_training.php ISA: https://www.pcisecuritystandards.org/training/isa_training.php PCIP: https://www.pcisecuritystandards.org/training/pcip_training.php Other Training Programs: https://www.pcisecuritystandards.org/training/index.php
Modified
p. 32 → 37
PCI SSC approved applications and devices PIN Transaction Security (PTS) Devices: www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php Payment Applications: www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php
PCI SSC approved products, solutions and providers PIN Transaction Security (PTS) Devices: www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php Payment Applications: www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php P2PE Solutions: https://www.pcisecuritystandards.org/approved_companies_providers/validated_p2pe_solutions.php Approved QSAs: https://www.pcisecuritystandards.org/approved_companies_providers/qualified_security_assessors.php Approved ASVs: ttps://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php
Modified
p. 32 → 37
PCI Data Security Standard (PCI DSS) The Standard: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf Supporting Documents: https://www.pcisecuritystandards.org/security_standards/documents.php Approved Assessors and Scanning Vendors: https://www.pcisecuritystandards.org/approved_companies_providers/index.php Navigating the Standard: https://www.pcisecuritystandards.org/documents/navigating_dss_v20.pdf Self-Assessment Questionnaire: https://www.pcisecuritystandards.org/merchants/self_assessment_form.php Glossary: https://www.pcisecuritystandards.org/security_standards/glossary.php Approved QSAs: https://www.pcisecuritystandards.org/approved_companies_providers/qualified_security_assessors.php Approved ASVs: https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php 33 This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
PCI Data Security Standard (PCI DSS) The Standard: https://www.pcisecuritystandards.org/documents/pci_dss_v3.pdf Supporting Documents: https://www.pcisecuritystandards.org/security_standards/documents.php Self-Assessment Questionnaires: https://www.pcisecuritystandards.org/merchants/self_assessment_form.php Glossary: https://www.pcisecuritystandards.org/security_standards/glossary.php Web Resources 39 This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
Removed
p. 33
The PCI SSC’s founding member card brands share equally in the Council’s governance and operations. Other industry stakeholders participate in reviewing proposed additions or modifications to the standards, including merchants, payment card issuing banks, processors, hardware and software developers, and other vendors.
Modified
p. 33 → 39
About the PCI Security Standards Council About the PCI Security Standards Council The PCI Security Standards Council (PCI SSC) is a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. The Council maintains, evolves, and promotes the Payment Card Industry security standards. It also provides critical tools needed for implementation of the standards such as assessment and scanning guidelines, a self-assessment questionnaire, training and education, and product certification programs.
About the PCI Security Standards Council About the PCI Security Standards Council The PCI Security Standards Council (PCI SSC) is a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. The Council maintains, evolves, and promotes the Payment Card Industry security standards. It also provides critical tools needed for implementation of the standards such as assessment and scanning qualifications, self-assessment questionnaires, training and education, and product certification programs.
Modified
p. 33 → 39
The PCI SSC founding members, American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc., have agreed to incorporate the PCI Data Security Standard as part of the technical requirements for each of their data security compliance programs. Each founding member also recognizes the Qualified Security Assessors and Approved Scanning Vendors qualified by the PCI SSC to assess compliance with the PCI DSS.
The PCI SSC founding members, American Express, Discover, JCB International, MasterCard, and Visa Inc., have agreed to incorporate the PCI Data Security Standard as part of the technical requirements for each of their data security compliance programs. Each founding member also recognizes the Qualified Security Assessors and Approved Scanning Vendors qualified by the PCI SSC.
Modified
p. 33 → 39
PCI SSC Founders Participating Organizations Merchants, Banks, Processors, Hardware and Software Developers and Point-of-Sale Vendors This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
PCI SSC FOUNDERS PARTICIPATING ORGANIZATIONS Merchants, Banks, Processors, Hardware and Software Developers and Point-of-Sale Vendors This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
Modified
p. 34 → 40
PCI Data Security Standard The PCI DSS is a set of comprehensive requirements for enhancing payment account data security. It represents common sense steps that mirror security best practices. Learn more about its requirements, security controls and processes, and steps to assess compliance inside this PCI DSS Quick Reference Guide.
PCI Data Security Standard The PCI DSS is a set of comprehensive requirements for enhancing security of payment card account data. It represents common sense steps that mirror security best practices. Learn more about its requirements, security controls and processes, and steps to assess compliance inside this PCI DSS Quick Reference Guide.
Modified
p. 34 → 40
Goals PCI DSS Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. …
Goals PCI DSS Requirements Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications …