3. 3
Objectives
PCI Overview
PCI Security Standards Council
Structure of the PCI DSS
PCI DSS v3.2.1 High Level Overview
PCI DSS Card Holder Data
PCI Standard & State Laws
How PCI DSS Compliance is applied
PCI DSS & Merchant Levels
PCI Transaction Cash Flow
Requirements for Service Providers
PCI Industry Groups & Issues
PCI Overview PCI DSS Compliance PCI Scope & Resources
Agenda
5. OBJECTIVES
After you complete this course,
you should be able to:
Understand the key PCI DSS goals and be
aware that PCI has been incorporated in State
Law
Be familiar with types of entities/merchants
that PCI DSS compliance applies to
Gain knowledge of current issues and
resources for PCI
5
04.08.21
Be familiar with PCI and the Data Security
Standards
Be aware of the PCI Security Standards
Council
Understand the meaning of Cardholder Data
Be aware of the various merchant levels
6. PCI OVERVIEW
What is PCI?
There are three standards related to credit
card security:
Payment Card Industry Data Security
Standard (PCI DSS)
Payment Application Data Security Standard,
or PA-DSS
PCI PIN Transaction Security (PCI PTS)
6
PCI = Payment Card Industry
PCI Security Standards Council - Visa,
Mastercard, American Express, Discover,
JCB International
7. PCI SECURITY STANDARDS COUNCIL
7
PCI Security Standards Council was launched in 2006.
PCI SSC founding payment brands are: American Express,
Discover Financial, JCB International, MasterCard, Visa, Inc.
The PCI SSC is responsible for the development,
management, education, and awareness of the PCI Security
Standards (PCI DSS).
8. 8
TECHNICAL SOLUTIONS & SETTINGS POLICIES AND PROCEDURES TRAINING
PCI-DSS contains 12 high-level requirements
including 260 controls categorized into 3 areas:
Section title
STRUCTURE OF THE PCI DSS
12. PCI DSS applies globally to all merchants
and service providers that store, process,
use, or transmit cardholder data. Below
are some types of entities that PCI DSS
compliance applies to:
PCI Compliance Applications
• Retail - online sites, brick & mortar,
mail/phone order
• Hospitality - restaurants, hotels
• Transportation - airlines, car rentals,
taxi, limo
• Utilities - gas, electric, water.
• Service Providers – Cloud Security
providers, data hosting providers,
managed services etc.
• Telecommunications - cable,
wireless services, phone
• Healthcare/Education - hospitals,
doctors, dentists, colleges
• Financial Services - banks,
insurance, credit card processors.
12
13. PCI DSS is not a
governmental regulation,
its an Industry Standard
and is relevant wherever
credit cards are
accepted.
PCI DSS is validated
either through a self-
assessment
questionnaire (SAQ) or
through an annual on-
site audit performed by a
Qualified Security
Assessor (QSA)
How to validate depends
upon the number of
transactions your
organization processes
per year [refer to
Merchant levels slide]
Some states have
incorporated some PCI
DSS requirements into
privacy and data breach
laws
Compliance with PCI
DSS is not required by
federal law in the United
States.
However, the laws of
some U.S. states either
refer to PCI DSS directly
or make equivalent
provisions.
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD
13
15. MERCHANT LEVELS AT PCI DSS
PCI applies to ALL organizations or
merchants, regardless of size or
number of transactions, that
accept, transmit or store any
cardholder data.
Visa - Merchant Level -
Descriptions
Any merchant — regardless of acceptance channel
— processing over 6M Visa transactions per year.
Any merchant that Visa, at its sole discretion,
determines should meet the Level 1 merchant
requirements to minimize risk to the Visa system.
Any merchant processing fewer than 20,000 Visa e-
commerce transactions per year, and all other
merchants — regardless of acceptance channel —
processing up to 1M Visa transactions per year.
Any merchant —
regardless of acceptance
channel — processing 1M
to 6M Visa transactions
per year.
Any merchant processing
20,000 to 1M Visa e-
commerce transactions
per year.
Level 1 Level 2
Level 4
Level 3
15
17. PCI DSS REQUIREMENTS FOR SERVICE PROVIDERS
17
Some of the key PCI DSS requirements relative to Service Providers:
Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique
authentication credential (such as a password/phrase) for each customer. (PCI 8.5.1)
Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of:
Firewalls, IPS/IDS, FIM, Anti-virus, Physical Access Controls, Logical Access Controls, Audit Logging Mechanisms, Segmentation Controls (if
used). (PCI 10.8)
If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after
any changes to segmentation controls/methods. (PCI 11.3.4.1)
Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data
the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the
security of the customer’s cardholder data environment. (PCI 12.8.2)
Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider
possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the
customer’s cardholder data environment. (PCI 12.9)
Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the
following processes: Daily log reviews, Firewall rule-set reviews, Applying configuration standards to new systems, Responding to security
alerts, and Change management processes (PCI 12.11)
18. PCI SCOPE
18
• The PCI DSS defines scope as “the PCI DSS security requirements apply to all system components included in or connected to the cardholder
data environment.”
• A cardholder data environment (CDE) is comprised of people, processes, and technologies that store, process, or transmit cardholder data or
sensitive authentication data.
• Here’s a list of areas that are very likely in scope in any environment where credit card data is present:
• Networking devices: switches, routers
• Firewalls
• Servers
• Data Center – Physical Security
• Portable Media – tapes, USB devices
• Point-of-sale (POS) devices
• Wireless devices – access points
• Applications/databases (that handle credit card data)
19. RESOURCES
Official PCI Security Standards Website
www.PCISecurityStandards.org
PCI DSS 3.2.1 Link
https://www.pcisecuritystandards.org/document_libr
ary?category=pcidss&document=pci_dss
PCI INDUSTRY GROUPS/FORUMS
PCI Knowledge Base
https://www.pcisecuritystandards.org/faq/
INDUSTRY GROUPS & RESOURCES
19