The Payment Card Industry Data Security Standard (PCI DSS) is a compliance mandate that has wide-reaching implications for organizations that handle credit card data - specifically card numbers, expiry dates and the card holder name - either during a transaction or at any point thereafter. This whitepaper examines the directives of PCI DSS that impact endpoint security and how the access control requirements can best be achieved.
Introduction to PCI DSS
Designed to protect consumers from credit card data theft, the PCI DSS consists of 12 requirements to encrypt or remove sensitive data, protect networks, secure applications and provide security through auditing, monitoring and access control. Putting these measures in place can help prevent denial of service attacks, data theft, and systems from being infected with malicious code.
American Express, Discover, MasterCard, Visa and JCB formed the Payment Card Industry Security Standards Council (PCI SSC) in 2004 to develop a mandate to enforce a minimum level of security, to which all merchants processing credit card data should comply. The first version of the standard was published in June 2005, and updated to version 2.0 in October 2010. PCI v3.0 came into force in January 2014 and companies were given one year to implement it.
It's a legal requirement to comply with PCI DSS if your organization stores, processes or transmits cardholder data. Banks regularly report the compliance status of merchants to the credit card companies, which then select businesses to investigate. If found to be in breach of the regulations, organizations can face fines of up to $500,000 and be required to meet litigation costs brought as a result of fraudulent activity. If any part of the payment process is outsourced to a thirdparty, it must also be PCI DSS compliant and you should ask to see a compliance certificate annually.
Merchants are categorized by four levels according to the number of credit card transactions they process. Level 1 merchants process six million or more transactions annually and are required to have a yearly onsite security assessment, and a quarterly network scan if involved in ecommerce. Level 4 merchants are at the bottom end of the scale and can comply by completing a self-assessment form.
The 12 PCI DSS mandate requirements are divided into six areas and the remainder of this whitepaper will focus on implementing strong access controls and monitoring networks.
PCI DSS aims to make sure organizations:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a Vulnerability Management Program
- Implement strong access controls
- Regularly monitor and test networks
- Maintain a policy that addresses information security