A Primer on the Mysteries of PCI Compliance

504ensicsAbout the author: Vico Marziale, PhD is a Managing Partner of 504ENSICS Labs, specializing  in cutting edge research and development of tools and techniques for digital forensics and computer security.

————————————————————————————

The recent rash of credit card data theft from top retailers (like Target) has brought the term “PCI compliance” into the limelight. What exactly is PCI compliance and who does it apply to? Read on for some simple answers. The tl;dr version: businesses that accept credit cards for payment are required to protect that credit card data from theft. The Payment Card Industry (PCI) Data Security Standard (DSS) is a set of guidelines for securing sensitive data like credit card numbers. Being PCI compliant simply means following the PCI DSS guidelines for securing credit card data. It’s that simple. For the most part.

Here is the slightly longer version. Once upon a time a few of the credit card companies, namely Visa and MasterCard, had independently developed standards for merchants to use for protecting credit card data from theft. To make things simpler for these merchants to become compliant, in 2006 the PCI Security Standards Council was formed by five major credit card companies to establish standards for securing payment card industry data. Every merchant who accepts credit cards is responsible for making sure that they are compliant with PCI DSS. If they do not, there may be fines levied, or individual credit card companies can terminate their relationship with the non-compliant merchant (which means that merchant may no longer be able to accept credit cards). Not to mention that failure to be compliant is a good indicator that your customer’s credit card data may be at risk and that’s definitely bad for business. But enough hellfire and brimstone. What, you ask, does it take to be compliant? That depends on how big your company is and who handles your payment processing.

For smaller companies all that may be required of you is to fill out one of the Self-Assessment Questionnaires (SAQ). These questionnaires range in length and complexity based on whether you physically access credit cards (e-commerce only shops clearly do not), if cards are processed via standalone dial-out terminals, whether or not card data is stored, if payment processing systems are connected to the internet, etc.

Larger companies have significantly more hoops to jump through, and in addition to questionnaires, are required to have regular network vulnerability scans and internal and external penetration tests, which may have to be performed by vendors selected from an approved list.

The main tenants of the PCI DSS (taken from www.pcisecuritystandards.org) are listed below (not all of these will apply to every merchant):

Build and Maintain a Secure Network and Systems

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Protect all systems against malware and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know

8. Identify and authenticate access to system components

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

As can be seen, these are general guidelines and not overly specific set of steps. A far more detailed set of procedures for each of the goals listed above is contained in the PCI DSS 3.0 Requirements and Security Assessment Procedures document (located at: www.pcisecuritystandards.org/documents/PCI_DSS_v3.pd). Implementing these procedures can require significant expertise and may require outside assistance from qualified computer security professionals.

Well, that’s the bird’s eye view of PCI compliance. I hope we’ve cleared some things up!