Payment Card Industry (PCI) Standards

What you will learn

  • What the PCI Council is
  • What the PCI standards are
  • How compliance to the PCI standards is enforced
  • How an organization validates its compliance

What you should read first

  • Nothing, start here

Introduction

The Payment Card Industry (PCI) standards are a set of security standards created to better protect cardholder data. With that goal, the standards are applied to all entities that store, process, or transmit such cardholder data.

Management and administration of the standards is handled by the Payment Card Industry Security Standards Council (also referred to as the SSC or PCI SSC or simply the Council), a separate entity formed by the card associations, American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. [1]

The Three PCI Standards

There are three PCI security standards, created to cover different aspects of the payment ecosystem. They are:

  1. PCI Data Security Standard (PCI DSS): This standard applies to all entities that store, process, and/or transmit cardholder data, such as merchants or service providers.
  2. PIN Transaction Security (PCI PTS) Requirements: Applies to manufacturers of payment devices.
  3. Payment Application Data Security Standard (PA-DSS): Applies to payment applications that are used by entities such as merchants and/or service providers to store, process and/or transmit cardholder data. The important distinction between PA-DSS applications and PCI DSS is the PA-DSS applications do not store, process, or transmit cardholder data, or have access to cardholder data.[2]
Service Provider
A business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).[3]

It is important to note that using a PA-DSS application does not mean that a merchant or service provider is PCI DSS compliant as PCI DSS is a more extensive standard than PA-DSS.

PCI DSS

The PCI Data Security Standard is a standard that applies to all entities that store, process, and/or transmit cardholder data. Merchants that accept cards, for example, must comply with the PCI DSS. The standard consists of 12 requirements that guide organizations in two areas:

  • Business practices such as Requirement 7, "Restrict access to cardholder data by business need to know."
  • Coding practices such as Requirement 4, "Encrypt transmission of cardholder data across open, public networks."

In November 2013, the SSC updated the PCI DSS standard to version 3. Read the actual standard here for detailed information on what exactly the requirements are and how to implement them.

The certificate of compliance for PCI DSS is called a Report on Compliance (ROC) and it needs to be renewed every year.

PCI PTS

The PCI PIN Transaction Security requirements are what guide the practices of manufacturers of devices with cardholder PIN functionality. Entities such as merchants and banks with ATMs are required by card associations such as Visa to only use devices that are tested and approved by the SSC. The PCI website maintains a list of such approved devices.

In March 2014, the SSC updated PCI PTS to version 1.4.

PA-DSS

The PA-DSS is a standard that guides the development of payment applications that store, process, and/or transmit cardholder data for the authorization or settlement process. Card associations such as Visa require merchants to use approved applications. A list of these approved applications is maintained by the SSC here.

In November 2013, the SSC updated PA-DSS to version 3.

The PA-DSS equivalent of a ROC is called a Report on Validation (ROV) which needs to be renewed every year.

The compliance process

There are three conceptual steps to the compliance process:

  1. Assessment: Assessment is the process of an organization identifying its IT assets and business processes that pertain to cardholder data and analyzing them for security vulnerabilities.
  2. Remediation: Once vulnerabilities have been identified, the next step is to secure them.
  3. Reporting: Finally, a business validates its compliance (possibly with a report) and, if necessary, submits this validation to the acquiring banks and card associations they have a relationship with.

Although the actual steps may vary according to the organization in question — a larger retailer like Best Buy, for instance, has different requirements than a small, e-commerce site — these are the general steps for all three standards.

Enforcement and Validation

The SSC is only responsible for managing the PCI standards, which includes tasks such as updating them and disseminating information. Enforcement, however, is handled by the card associations. Each card association has its own program that classifies entities and defines reporting and validation requirements based on those classifications.

Visa, for instance, classifies merchants into four levels based on "volume of transactions, the potential risk, and exposure introduced into the payment system by merchants and service providers." [4] The smaller the merchant's transaction volume, the less stringent their security compliance requirements are.

Level 1 merchants are those merchants that process over 6 million Visa transactions annually. The validation requirements for Level 1 merchants are the most stringent requirements so that that volume is kept secure. Among other requirements, Level 1 merchants are the only merchants required by Visa to validate their PCI compliance with their annual ROC, completed by a Qualified Security Assessor (QSA). We explain in the next section what a QSA is and what some of the other validation requirements are.

In the event of a data compromise, Visa may fine the merchant, service provider, or financial institution that has not complied with security requirements. Visa may additionally escalate the merchant to a higher validation level.

Qualified Security Assessors (QSAs)

The term Qualified Security Assessor refers to both an organization whose employees have been certified by the SSC to assess compliance, as well as to the employees themselves within such an organization. For clarity, we will refer to companies as QSA companies and their employees as QSA employees.

The role of a QSA is to complete compliance validation requirements for a merchant or financial institution based on the SSC's rules. The SSC's responsibility is to establish and maintain the program for these certifying companies and their employees as QSAs. The SSC maintains a list of certified QSA companies here.

Approved Scanning Vendors (ASVs)

One of the PCI requirements that applies to all organizations is to run regular network vulnerability scans, stipulated by Requirement 11.2 of the PCI DSS:

PCI DSS Requirement 11.2
Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). [5]

Depending on an organization's classification by the card associations, they may be required to have this vulnerability scan performed by an Approved Scanning Vendor (ASV). Similar to Qualified Security Assessors, ASVs are organizations certified by the SSC to validate compliance to certain PCI requirements.

The SSC maintains a list of certified ASVs here.

Self-Assessment Questionnaires (SAQs) and Attestations of Compliance (AOC)

Merchants that are not required to submit a ROC, those in Levels 2-4, may instead be required to complete a Self-Assessment Questionnaire (SAQ). The SAQ is a means for merchants to self-evaluate their compliance with the PCI DSS standard.

Once the SAQ has been completed, the organization is required to submit an Attestation of Compliance (AOC), a self-certification that the organization adheres to PCI DSS requirements and has completed the Self-Assessment Questionnaire.

An overview and the documents themselves can be found on the SSC's site.

EMV Exemption

The card associations can also use their regulatory power for enforcement of PCI validation to waive some validation requirements in special circumstances. Visa's Technology Innovation Program (TIP) is one such instance. The TIP program eliminates a merchant's validation requirements for "any year in which at least 75 percent of the eligible merchant's Visa transactions originate from dual-interface EMV chip-enabled terminals." Check Visa's website for more detail on the requirements.[6]

MasterCard, American Express, and Discover have all instituted similar programs as of October 2014.[7]

TransparencyX Merchants

To complete the PCI compliance self-assessment:

  1. Please visit firstdata.com/transarmor
  2. Register your location(s)
  3. Complete the security questionnaire

Completing this online form will mean that you are up to date on your credit card security.

To assist you, please see this PowerPoint presentation that shows example answers provided by a Golden Chick corporate location running on Aloha version 6.7 that passed its PCI SAQ.

References

  1. PCI DSS Quick Reference Guide p. 5
  2. PA-DSS v3 p. 5
  3. PCI SSC Glossary of Terms Service Provider
  4. Visa Card Information Security Program (CISP) Overview
  5. PCI DSS v3 p. 91
  6. PCI DSS Compliance for Visa Merchants
  7. VeriFone: EMV Key Dates