PCI Security & Compliance

The Payment Card Industry Security Standards Council was originally formed in 2006 by payment brands American Express, Discover, JCB International, MasterCard and Visa to share responsibility for the global evolution of payment account security.

PCI applies to all organisations that store or process cardholder information, so if you are a merchant of any size accepting payment cards you must be PCI compliant.

The current PCI version 3.0 replaced version 2.0 as of January 1st 2015, with version 3.1 due to come into force from June 30th 2016.

The Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) is a universal standard created by the PCI Security Standards Council to protect consumers and cardholder data and reduce fraud globally.

Merchant Levels

Your merchant level is determined by the volume of e-commerce and/or card-not-present (CNP) transactions your organisation processes annually. Your acquiring bank can provide assistance in determining your merchant level.

This merchant level then determines the specific requirements an organisation must meet to achieve PCI compliance.

Level Description
1 Merchants processing over six million transactions per year via all channels
2 Merchants processing one million to six million transactions per year via all channels
3 Merchants processing 20,000 to one million e-commerce transactions per year
4 E-commerce merchants processing fewer than 20,000 e-commerce transactions; and non-ecommerce merchants processing up to one million transactions per year

PCI DSS Requirements

PCI DSS comprises 12 high level requirements organised under six categories named Control Objectives. These 12 high level requirements are then broken down into a quantity of more detailed requirements.

The exact set of low level requirements a merchant is assessed against also depends upon how payments are processed in addition to their merchant level.

For example, businesses using approved third party service provider to store cardholder data and process payments, are not required to meet as many requirements as businesses handling everything in-house.

Completing Self-Assessment

The types of Self-Assessment Questionnaire vary according to payment methods used.

Self-Assessment Questionnaire Payment Method Short Description ASV scan required
SAQ A e-commerce Completely outsourced payment solution. Wholly hosted e-commerce website or Iframe/redirection to provider for payment pages
SAQ A-EP e-commerce Partly outsourced. Some payment details or image/style resources supplied from merchant site. E.g. Form submitted to payment provider with amount and description of product Yes
SAQ B Card present or card-not-present (CNP) Standalone terminals that operate via a traditional telephone network
SAQ B-IP Card present or CNP Standalone terminals connected to a payment processor via an IP connection (not over the internet) Yes
SAQ C Card present or CNP Standalone terminals that operate via the internet Yes
SAQ C-VT Card present or CNP Web-based virtual terminals with manual entry
SAQ-D Any All merchants and service providers eligible for a self-certified questionnaire but matching none of the above Yes
SAQ P2PE-HW Card present or CNP Hardware based terminals used in a point-to-point encryption scheme

Evolution of PCI DSS

PCI DSS version 3.1 places much more emphasis on the prevention of data breach, by means of access control technologies, automated vulnerability scanning and manual penetration testing to counter any security issues before they arise.

Access Control and Two Factor Authentication

8.3 Incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance). (Source: PCI DSS v3.1, p. 72)

A mandatory part of PCI compliance, requirement 8.3 of the Standard describes how remote network access should be controlled to prevent administrative credentials being used to harvest cardholder data from a remote location. Hardware-based two-factor authentication solutions can be used to meet this requirement as can voice, SMS or software solutions.

Network Security Scanning
Control Objectives PCI DSS Requirements
Build and maintain a secure network and systems 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program 5. Protect all systems against malware and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications
Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
Monitor and test networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy 12. Maintain a policy that addresses information security for all personnel

Validation of Compliance

Level 2, 3 and 4 Merchants

Most organisations that process payment data will find themselves to be level 3 or 4 merchants and can certify their PCI compliance themselves by filling in a Self-Assessment Questionnaire (SAQ) for their specific payment method.

This SAQ is then submitted to an approved assessor who validates the answers given and then provides an Attestation of Compliance. The merchant then submits this signed Attestation of Compliance to their acquiring bank as proof that they are PCI compliant.

E-commerce merchants meeting level 3 or 4 can self-certify their compliance, or they may alternatively use a service provider that has certified their own PCI DSS compliance (for example, an online marketplace such as Amazon or eBay).

In some cases, additional supporting evidence will be required, such as the results of an on-site audit report by a Qualified Security Assessor (QSA), or a quarterly network security scan by a PCI SSC Approved Scanning Vendor (ASV).

All merchants classed as level 2, and non e-commerce merchants classed as level 3 or 4, must have quarterly security scans by an ASV in addition to submitting the annual SAQ. Some acquiring banks require monthly instead of quarterly security scans if the type of SAQ indicates it is necessary.

Level 1 Merchants

In addition to an annual SAQ and quarterly network security scans by an ASV, level 1 merchants must provide an Annual Report on Compliance (ROC) following an on-site audit report by a QSA.

11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). (Source: PCI DSS v3.1, p. 94)

Requirement 11.2 of the Standard insists upon regular network scans to maintain security. 11.2.1 Requires that all items found on an external scan to be “high-risk” are rescanned until all vulnerabilities are resolved. High risk vulnerabilities are those that are classed as levels 3-High, 4-Critical and 5-Urgent.

Penetration Testing

Requirement 11.3 explicitly states the scope and methodology of any penetration test is to be NIST approved, covering both network and applications inside and outside of the merchant’s network. Internal and external testing must be performed no less than once every 12 months.

Achieving Compliance

Achieving PCI compliance is important for business reputation and longevity and the Standard exists to promote best practice, to protect and reassure customers.

For most SMEs, meeting these types of requirements can seem a daunting prospect but thanks to self-certification via SAQs, together with the outsourcing of cardholder data to third parties, many of these requirements can be reduced in scope to make achieving compliance more straightforward.

For information on how VerIDial can help your organisation please contact us.