The Payment Card Industry has grown to the extent that it touches hundreds of millions of people worldwide every day. While most payments are being made through debit/credit card transactions, consumers are now also using mobile devices to make electronic payments. Whenever a customer uses a debit/credit card to make a payment, there is personal data been transmitted electronically that includes customer name, card number, security code and expiration date, and this information gets stolen and miss-utilized.
History behind PCI
Between 1988 to 1998, Visa and Mastercard reported a credit card fraud loss totaling 750 million dollars, a minuscule amount compared with hundreds of billions of dollars in the transaction processed yearly. In October 1999, VISA became the first Card brand to develop security standards for merchants conducting online sales. However, with the growth of usage of credit cards and internet, the frauds also increased to four times greater than the average transaction.
Formation of PCI
The PCI Security Standards Council was formed to promote the Payment Card Industry standards for the safety of cardholder data across the globe. The Council was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc. They share equally in governance and execution of the Council’s work. The PCI Security Council periodically add new clauses to the requirement and releases the updated version of PCI. The first officially PCI was released in 2004 with PCI 1.0 version and currently it is PCI 3.2 which released in 2016.
The twentieth century U.S. criminal Willie Sutton was said to rob banks because “that’s where the money is.” The same motivation in our digital age which makes merchants the new target for financial fraud. It’s a severe problem, more than 510 million records with sensitive information have been breached since January 2005, according to PrivacyRights.org. So, the merchants, who are at the center of payment card transactions, it is imperative that they should use standard security procedures and technologies to thwart the theft of cardholder data.
PCI customer information the Payment Card Industry Data Security Standard and this council have set 12 requirements as a security measure. In this article, we are going to discuss the critical elements under PCI now required to adhere by the organizations which accept payment cards for thier business. These organizations have to protect the card holder’s information including their names, card numbers and security code which is saved in the system when the consumes makes payment. The PCI has formed to stop the data breaches which was increasing between 2000 – 2005 and this can only be prevented with a strong regulation to set the necessary security measures and standard needs to be set for Payment Card Industry. Moreover, it allows programming engineers and gadget producers with the required direction which will adhere to compliance.
A survey of businesses in the U.S. and Europe reveals activities that may put cardholder data at risk. 81% store payment card numbers
73% store payment card expiration dates
71% store payment card verification codes
57% store customer data from the payment card magnetic stripe
16% store other personal data
Source: Forrester Consulting: The State of PCI Compliance (commissioned by RSA/EMC)
Payment Application Data Security Standard:
Some of the key points for implementing security steps.
- Need to use the authorized and approved pin entries devices.
- Use appropriate software to make the Payment.
- Need to create Most important security that is fire wall protection between the pc and network.
- Make sure wireless router password encryption. Training is required to the employees to protect the data of card holder’s data.
Security Controls and Processes for PCI DSS Requirements
1.Build and Maintain a Secure Network
Right off the bat, the Cardholder information is just as secure as the ways that give access to it. From one viewpoint, PCI DSS necessities are intended to guarantee that system security rehearses dispose or limit known dangers. Then again, they ensure that the association characterizes well‐ organized strategies, techniques and practices that can be followed and inspected. To guarantee both secure information pathways and adherence to strict Network security arrangements, PCI DSS requires specific rules for handling card installments to help anticipate Mastercard extortion, skimming, and other security dangers.
Following and evaluating of firewall activities consistently, including clear meanings of parts and duties.
- Entirely restricting interior hierarchical access to customer information.
- Recording, authorizing and inspecting every single operational technique and practices.
- Around 40% of PCI DSS are identified with Network security, yet this is extremely the essence of pain, entanglements and unsettling influence for PCI internal auditors, IT administrators and their groups.
For arrange security groups to coordinate a repeatable, consistent method that doesn’t disturb business as usual, it’s essentially not plausible for IT administrators and PCI inward evaluators to physically oversee and test. The numerous IT errands associated with recording, following and reviewing system security techniques manually can take weeks.
2. Protect Card Holder Data
Cardholder data alludes to any information contained on a client’s installment card. The data is imprinted on either side of the card and is contained in the digital format on the attractive stripe implanted in the rear of the card. Some installment cards store data in chips inserted on the front side. The front side, for the most part, has the essential record number (PAN), cardholder name and termination date and the 3-4-digit card check number (CVV2). The CVV2 might be on the back, contingent upon the card. The attractive stripe or chip holds these in addition to other touchy data for verification and approval.
PCI security gauges are specialized, and operational requirements set by the PCI Security Standards Council (PCI SSC) to ensure cardholder data. The norms apply to all associations that store, process or transmit cardholder data – with direction for programming engineers and producers of utilization and gadgets utilized as a part of those exchanges. The Council is in charge of dealing with the security guidelines, while compliance with the PCI set of gauges is enforced by the establishing individuals from the Council, American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
3. Implement strong access control measures
Access control allows merchants to permit or deny the use of physical or technical means to access. PAN and other cardholder data. Access must be granted on a business need to know basis. Physical access control entails the use of locks or restricted access to paper-based cardholder records or system hardware. Logical access control permits or denies use of PIN entry devices, a wireless network, PCs, and other devices. It also controls access to digital files containing cardholder data.
4. Compensating Controls for PCI DSS Requirements
Compensating controls might be considered for most PCI DSS requirements when an element can’t meet a prerequisite unequivocally as expressed. All together for a compensating control to be viewed as substantial, it must be investigated by a qualified assessor.
Compensating controls must fulfill the accompanying criteria:
- Meet the purpose and meticulousness of the first PCI DSS necessity.
- Give a comparable level of protection as the primary PCI DSS necessity, with the end goal that the compensating controls adequately counterbalances the hazard that the first PCI DSS prerequisite was intended to safeguard against.
- Be “well beyond” other PCI DSS requirements. (Just complying with other PCI DSS requirements isn’t a compensating control.)
5. Choosing an Approved Scanning Vendor (ASV) for PCI
An Approved Scanning Vendor (ASV) is a data security firm utilizing a scanning answer for deciding if the client is agreeable with the PCI DSS outer helplessness scanning necessity. ASVs have been prepared and are qualified by the PCI Security Standards Council to perform external system and framework checks as required by the PCI DSS. An ASV may utilize its programming or an approved business or open source answer for approving consistency. ASV arrangements must be non-troublesome to clients’ frameworks and data – they should never cause a framework reboot or meddle with or change area name server (DNS) steering, exchanging, or address determination. Root-units or another programming ought not to be introduced unless a piece of the arrangement and pre-approved by the client. Tests not allowed by the ASV arrangement incorporate foreswearing of administration, cushion flood, beast constrain assault bringing about a secret key lockout, or exorbitant utilization of accessible correspondence data transfer capacity. An ASV scanning arrangement incorporates the scanning tool(s), the related scanning report, and the procedure for trading information between the scanning vendor and the client. ASVs may submit consistence reports to the procuring foundation for the benefit of a trader or specialist co-op.
6. The scope of Assessment for PCI DSS Compliance
PCI Compliance scope includes Cardholder Data Environment (CDE) and other system applications & components associated with CDE. A Cardholder Data Environment (CDE) consists of different processes, technologies, and hardware & software applications that stores, process and transmits customer’s data like card number, CVV number, and magnetic strip data.
Below are the system components which are included in the scope:
- Networking devices
- Computing devices
The initial step of a PCI DSS compliance effort is to precisely decide the scope of the earth. The perusing procedure incorporates recognizing all framework parts that are situated inside or associated with the cardholder data condition. The cardholder data condition is included individuals, procedures, and innovation that handle cardholder data or delicate confirmation data. Framework segments incorporate system gadgets (both wired and remote), servers and applications. Virtualization segments, for example, virtual machines, virtual switches/switches, virtual apparatuses, virtual applications/work areas, and hypervisors, are additionally considered framework segments inside PCI DSS. Perusing must happen at any rate every year and preceding the yearly assessment. Shippers and different substances must recognize all areas and streams of cardholder data to guarantee all pertinent framework segments are incorporated into scope for PCI DSS. Elements ought to affirm the exactness and suitability of PCI DSS scope by performing these means:
- The evaluated element recognizes and archives the presence of all cardholder data in their condition, to confirm that no cardholder data exists outside of the right now characterized cardholder data condition (CDE).
- Once all areas of cardholder data are recognized and reported, the substance utilizes the outcomes to confirm that PCI DSS scope is fitting (for instance, the outcomes might be a graph or a stock of cardholder data areas).
- The element considers any cardholder data observed to be in the scope of the PCI DSS assessment and part of the CDE unless such data is erased or moved/merged into the at present characterized CDE.
- The element holds documentation that shows how PCI DSS scope was affirmed and the outcomes, for assessor survey as well as for reference amid the following yearly PCI SCC scope affirmation action.
Reporting are very important part of any organization as they serve as a record and proof when needed. Reports are the mechanism which is prepared by the concern person for specific purpose or general and time also varies depending upon the company. Every Business has different merchant bank and level tied which determines what kind of reporting and validation is require and even the volume of transactions does matter. Reports can be weekly, monthly, quarterly and annually all depends upon what reports, purpose of report and decision to be made on that report. In the same way PCIDSS Compliance do have an reporting requirements which should consist of following things:
- Executive Summary which should include the cardholder business description of payment card and network diagram which shows relationship and gives more clear idea.
- More detail description of assessment, scope of work and approach been used and how much it has effect on security of data of cardholder
- All the details about hardware and software, service providers, third party applications
- Basic details about date of report and contact information
- PCI Security Standards Council, (2016): Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures.