Any business that accepts credit cards
online for good or services rendered needs to comply with the Payment Card
Industry Data Security Standard (PCI DSS).

PCI DSS comprises of several guidelines
that merchants must comply with to protect their customers’ credit card data.
However, many companies struggle with security requirements. In most
organizations, InfoSec managers are not sure whether their networks and systems
fall under the PCI DSS scope.

What
is PCI DSS?

PCI DSS is an acronym for Payment Card Industry Data Security Standard. The five major payment card companies created the security standard: Visa, MasterCard, JCB International, Discover Financial Services and American Express, and provides the best practices for handling and storing cardholder data (CHD).

PCI DSS requirements are a series of
standards for processing card payments that protect both merchants and
consumers. These standards are generally referred to as the Payment Card Data
Security Standard.

Understanding
Cardholder Data (CHD)

PCI DSS defines cardholder data (CHD) as
any information that can identify a person and link them to a credit or debit
card. The personally identifiable information (PII) may include the name
of the customer and their address.

Apart from PII, cardholder data includes
the primary account number (PAN) of the cardholder, together with the card
service code and expiration date.

Securing
Cardholder Data Environment (CDE)

Cardholder data environment (CDE) refers
to any infrastructure or systems that process, transmit or store cardholder
data.

The infrastructure includes components
such as computers, applications, and networked devices that have direct or
indirect contact with cardholder data. These infrastructure components must be
PCI DSS compliant.

Network
Segmentation

The PCI standard requires the cardholder
data environment to be separated from other systems or components used by your
organization. Any devices connecting to the CDE through insecure connections
could put your firm at risk of third-party intrusions and, consequently, heavy
fines by regulatory bodies.

Overview
of the PCI DSS Scope

For your firm to be PCI-compliant, you
have to determine the CDE. Make a list of the networks, systems, applications,
and devices that interact with CHD and are, therefore, part of the CDE.

All the systems and components that
transmit, handle or store CHD in any form should be separated from the other
infrastructure and secured according to PCI requirements.

Importance
of Creating a Data Flow

It is essential to know the exact steps
that data follows when it is transmitted, managed and handled in your IT
infrastructure. For example, your network may be set up to store CHD and, at
the same time, receive data from a non-cardholder application.

In such a case, the non-cardholder
application will have to be secured according to PCI standards since it is in
the CDE. If the user is not protected, a malicious intrusion through it can
compromise the CDE.

Understanding how data flows in your IT infrastructure is critical to determining the security measures to implement for risk mitigation and prevention.

What
is an SAQ?

The PCI Security Standards Council has a Self-Assessment Questionnaire (SAQ) that merchants can fill to review their technology and find out whether they are PCI-compliant. The SAQ limits the CDE and makes it easy to identify which infrastructure components fall under PCI DSS scope.

Merchants that take credit card payments
physically at their establishments can use PCI SSC approved point-to-point
encryption (P2PE) devices to be PCI DSS compliant. This lower compliance standard
applies to merchants that:

Process payments using
PCI DSS-approved P2PE devicesHave P2PE devices that
only interact with their approved Point of Interaction (POI) devicesHave implemented all the
required P2PE controlsDi not collect, transmit
or store electronic cardholder dataDo not store legacy
information electronically

The lower PCI-compliance standard is
applicable for brick-and-mortar stores that use PCI-compliant devices and do
not store electronic cardholder information in any form.

PCI
Compliance Audits

Your organization’s PCI compliance must be
overseen by third parties known as Qualified Security Advisors (QSAs). These
auditors are trained in PCI compliance and will review your cardholder data
environment to ensure it is appropriately secured.

If your organization uses a
Software-as-a-Service (SaaS) platform to process payments, the platform is also
considered part of the PCI compliance scope if it stores, processes or
transmits CHD. For this reason, it is critical to establish whether the payment
platform you may want to use is PCI-complaint.

Vendors need to provide the following
documentation to prove compliance:

Independent assessments
carried out annually and presented to their customersMultiple on-demand
evaluations that may be required by users



Use
Compliance Software to be PCI-Compliant

You can use various programs to meet your
firm’s PCI compliance requirements. The compliance software will act as a
single-source-of-information, enabling you to see your current security controls.
You can then map your organization’s controls align with PCI DSS requirements.

Author Bio

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the IT governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.  Learn more at ReciprocityLabs.com.

The post Guidance for PCI DSS appeared first on Entrepreneurship Life.