2. UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES
Home
PCI validation:
Requirements for
merchants covered
by PCI DSS
PCI DSS review:
Assessing the PCI
standard nine years
later
I
E-G uide , SearchSecurity.com expert Mike Chapple details the PCI validation requirements for merchants covered
by PCI DSS and reviews PCI’s successes
and failures. As the industry preps for PCI DSS 3.0 learn what needs
to be improved upon and what has remained effective.
PA G E 2 O F 1 3
n this
SPONSORED BY
3. UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES
PCI VALIDATION: REQUIREMENTS FOR MERCHANTS
COVERED BY PCI DSS
Home
PCI validation:
Requirements for
merchants covered
by PCI DSS
PCI DSS review:
Assessing the PCI
standard nine years
later
Mike Chapple, Enterprise Compliance
Organizations subject to the Payment Card Industry Data Security Standard
(PCI DSS) must meet a laundry list of PCI validation requirements on a regular
basis to certify its compliance to their merchant banks. These requirements include the need for periodic reports on compliance (ROCs), vulnerability scans,
penetration testing and Web application testing. In this tip, we examine these
requirements to provide a detailed outline of what is needed to remain PCI
DSS-compliant.
REPORTING COMPLIANCE: SAQS AND ROCS
Perhaps the most significant PCI requirement is that all but the smallest merchants (those who process fewer than 20,000 e-commerce transactions and
less than 1 million total transactions per year) must submit annual compliance
validation reports to their merchant bank. The scope of these reports and the
qualifications of the individuals performing the assessment vary depending
PA G E 3 O F 1 3
SPONSORED BY
4. UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES
Home
PCI validation:
Requirements for
merchants covered
by PCI DSS
PCI DSS review:
Assessing the PCI
standard nine years
later
upon where an organization falls within the PCI DSS merchant levels.
The largest merchants (those with over 6 million transactions per year) are
classified as Level 1 merchants and must have an independent audit performed
on an annual basis. This audit may be performed by either a Qualified Security
Assessor (QSA) or the firm's internal audit group if the audit is signed by an
officer of the company. In those cases, the QSA or internal auditors complete
an ROC for submission to the merchant bank. Level 2 and 3 merchants may
conduct the assessment using their own IT and business staff and document
the results on one of the self-assessment questionnaires (SAQ).
The scope of the audit depends upon the characteristics of the merchant's
cardholder data environment -- essentially, the more complex the environment, the greater the scope of the audit. The possibilities are as follows:
SAQ A, the simplest form, is reserved for those merchants that have out
sourced all card processing responsibilities.
SAQ B contains the requirements for imprint-only or standalone dial
out terminal users that do not store any cardholder data electronically.
PA G E 4 O F 1 3
SPONSORED BY
5. UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES
Home
PCI validation:
Requirements for
merchants covered
by PCI DSS
PCI DSS review:
Assessing the PCI
standard nine years
later
SAQ C is used in cases where merchants have payment application sys
tems that are connected to the Internet but do not store cardholder data.
There is a separate version of SAQ C for those merchants using virtual
terminals.
SAQ D, the most complex form, is required for all merchants that are not
eligible to fill out one of the shorter SAQs. This includes merchants with
systems that store cardholder information.
Of course, it's in every merchant's best interest to move as far down the
SAQ chain as possible. Don't fill out the lengthy SAQ D if your organization is
eligible to complete the brief SAQ A!
VULNERABILITY SCANS
All merchants with externally facing (public) IP addresses must also complete
quarterly external network vulnerability scans and provide those results to
their merchant bank. The PCI DSS standard requires organizations to perform the scans through any of theirApproved Scanning Vendors (ASVs), but
the organization's merchant bank may require that it use a specific ASV. Many
PA G E 5 O F 1 3
SPONSORED BY
6. UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES
Home
PCI validation:
Requirements for
merchants covered
by PCI DSS
PCI DSS review:
Assessing the PCI
standard nine years
later
merchant banks require the use of a single ASV partner who, in turn, provides
the bank with direct access to consolidated reports, easing the administrative
burden on their end.
Of course, simply performing the scan is not sufficient -- companies must
actually pass the scan to be able to assert PCI DSS compliance. For this reason, it's a good idea to run regular compliance scans for the company's own
purposes to validate that it will pass before running the official scan that will
be reported to its merchant bank.
SECURITY TESTING
Two additional requirements apply to organizations with infrastructures that
process cardholder data: penetration testing and Web application assessment.
Organizations must perform annual internal and external penetration testing
of its cardholder data environment, including both network and application
layer tests. Similarly, organizations with Web applications must perform Web
application assessments on an annual basis and after any significant changes.
Both of these tests must be performed either by a qualified security consultant
or by qualified employees of the merchant, provided that the employees performing the tests are organizationally independent from those maintaining
PA G E 6 O F 1 3
SPONSORED BY
7. UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES
Home
PCI validation:
Requirements for
merchants covered
by PCI DSS
PCI DSS review:
Assessing the PCI
standard nine years
later
the systems.
As companies build their PCI DSS compliance program, it is increasingly
important to keep all of these requirements in mind. It's a good idea to plan an
annual calendar of assessments and tests so that the company doesn't miss a
deadline or wind up rushing to complete all of its PCI validation requirements
at the end of the year. Finally, be sure to retain documentation of all of the company's assessments so that its compliance can be demonstrated to an auditor.
MIKE CHAPPLE, Ph. D., CISA, CISSP, is an IT security manager at the University of Notre Dame. He
previously served as an information security researcher at the National Security Agency and the U.S.
Air Force. Chapple is a frequent contributor to SearchSecurity.com and serves as its resident expert
on enterprise compliance, frameworks and standards for the Ask the Experts panel. He is a technical
editor for Information Security magazine and the author of several information security titles, including
the CISSP Prep Guide and Information Security Illuminated.
PA G E 7 O F 1 3
SPONSORED BY
8. UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES
PCI DSS REVIEW: ASSESSING THE PCI STANDARD NINE
YEARS LATER
Home
PCI validation:
Requirements for
merchants covered
by PCI DSS
PCI DSS review:
Assessing the PCI
standard nine years
later
Mike Chapple, Enterprise Compliance
Nine years ago, the major payment card brands came together and quietly released the first version of the Payment Card Industry Data Security Standard
(PCI DSS), consolidating the confusing set of overlapping requirements previously promulgated by the card brands.
Almost a decade later, the industry now awaits the third major PCI DSS
release as the council prepares to issue PCI DSS 3.0. Now is an excellent opportunity for the industry to reflect upon the standard's successes and failures,
and that's what we'll do here in this PCI DSS review.
COMPLIANCE VS. SECURITY: WHERE ARE WE?
Of course, the goal of the PCI DSS is to improve the security of payment card
information and reduce the cost of fraud to the sponsoring institutions. It's no
secret, however, that the goal of most organizations subject to PCI DSS is simply to pass their assessments and be able to certify compliance for another year.
PA G E 8 O F 1 3
SPONSORED BY
9. UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES
Home
PCI validation:
Requirements for
merchants covered
by PCI DSS
PCI DSS review:
Assessing the PCI
standard nine years
later
This is an age-old discussion in the world of compliance: How much of what we
do actually improves security, and how much is simply bureaucratic overhead?
There's no doubt that PCI DSS, as with any regulatory obligation, requires
us to perform some tasks that don't contribute to the security of our information. For example, none of us want to spend time filling out self-assessment
questionnaires or documenting the results of an account review. However, the
vast majority of PCI DSS requirements do have a legitimate basis in information security dogma, and while some wish the standard raised the bar higher,
most security professionals freely admit that the requirements indeed reflect
industry standard best practices.
Has the state of security improved since the release of PCI DSS? I contend
that, indeed, it has. While organizations that have always had strong security
programs may have only seen marginal improvements in their security, it is
indisputable that many organizations only considered payment card security
for the first time when faced with this compliance mandate. The cause of most
payment card breaches can be traced back to basic security controls that were
lacking, and the PCI DSS has helped build awareness around the need for fundamental information security practices.
PA G E 9 O F 1 3
SPONSORED BY
10. UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES
CONSISTENCY OF ASSESSMENTS
Home
PCI validation:
Requirements for
merchants covered
by PCI DSS
PCI DSS review:
Assessing the PCI
standard nine years
later
One of the early complaints among merchants and service providers regulated
by PCI DSS was that the standard contained a number of vague requirements
that were inconsistently enforced by the Qualified Security Assessors (QSAs)
certified by the PCI Security Standards Council to conduct PCI DSS validation
assessments. This led to confusion within the regulated industry and some
degree of shopping around for a QSA that would provide organizations with
the results that it wanted to hear.
Thankfully, this situation has improved. The PCI SSC heard this feedback
and put a tremendous amount of effort into building a community of QSAs who
consistently interpret the standards. To achieve this task, the council moved
from a standard document that simply listed requirements to one that incorporates the precise audit procedures that QSAs are to follow when validating
compliance. For example, requirement 9.1.1 involving the use of video cameras
and access control mechanisms now has three specific procedures:
9.1.1 a Verify that video cameras and/or access control mechanisms are in
place to monitor the entry/exit points to sensitive areas.
PA G E 1 0 O F 1 3
SPONSORED BY
11. UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES
9
.1.1 b Verify that video cameras and/or access control mechanisms are
protected from tampering or disabling.
Home
PCI validation:
Requirements for
merchants covered
by PCI DSS
PCI DSS review:
Assessing the PCI
standard nine years
later
9
.1.1 c Verify that video cameras and/or access control mechanisms are
monitored and that data from cameras or other mechanisms is stored for
at least three months.
With this new degree of precision, merchants and service providers now
go into assessments with a reasonable understanding of the procedures that
QSAs will perform when conducting assessments.
PREPARING FOR PCI DSS 3.0
As we approach the third release of PCI DSS, many organizations now have a
degree of confidence borne from experience that simply was not there in the
past. While compliance managers should certainly review the PCI DSS Version 3.0 Change Highlights issued by the SSC, there is plenty of time to prepare
before the standard goes into effect in January 2014. Take the time provided
to you during this grace period to review the new standard and implement any
changes that might be necessary in your cardholder environment to remain
PA G E 1 1 O F 1 3
SPONSORED BY
12. UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES
Home
PCI validation:
Requirements for
merchants covered
by PCI DSS
PCI DSS review:
Assessing the PCI
standard nine years
later
compliant in the coming year.
The bottom line? In my opinion, the PCI DSS compliance field has matured
significantly over the past decade and evolved from a confusing, feared set of
technical requirements to a well-understood standard that is now often used
as the gold standard of security even in unregulated fields.
MIKE CHAPPLE, Ph. D., CISA, CISSP, is an IT security manager with the University of Notre Dame. He
previously served as an information security researcher with the National Security Agency and the U.S.
Air Force. Chapple is a frequent contributor to SearchSecurity.com and serves as its resident expert on
enterprise compliance, frameworks and standards for its Ask the Experts panel. He previously served as
site expert on network security, is a technical editor forInformation Security magazine and the author of
several information security titles, including the CISSP Prep Guide and Information Security Illuminated.
PA G E 1 2 O F 1 3
SPONSORED BY
13. UNDERSTANDING YOUR PCI DSS GUIDELINES: SUCCESSES AND FAILURES
FREE RESOURCES FOR TECHNOLOGY PROFESSIONALS
Home
PCI validation:
Requirements for
merchants covered
by PCI DSS
PCI DSS review:
Assessing the PCI
standard nine years
later
TechTarget publishes targeted technology media that address
your need for information and resources for researching products, developing strategy and making cost-effective purchase
decisions. Our network of technology-specific Web sites gives
you access to industry experts, independent content and analysis and the Web’s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research
reports and more —drawing on the rich RD resources of technology providers to address
market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you
face daily. Our social community IT Knowledge Exchange allows you to share real world
information in real time with peers and experts.
WHAT MAKES TECHTARGET UNIQUE?
TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and
management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers—all to create
compelling and actionable information for enterprise IT professionals across all industries
and markets.
PA G E 1 3 O F 1 3
SPONSORED BY