 |
|
 |
|
|
 |
Redspin Payment Card Industry Data Security Standard —
Frequently Asked Questions
What is the PCI DSS?
PCI DSS stands for the Payment Card Industry Data Security Standard. It is a set of security standards developed by the Payment Card Industry Security Standards Council (PCI SSC) to protect sensitive data related to credit cards and credit card transactions. The PCI SSC is an international organization founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International to enhance payment account data security by fostering the broad adoption of the PCI security standards.
Who is affected by the PCI DSS?
Any organization that transmits, stores, or processes credit card information is required to comply with the PCI DSS. This includes merchants and service providers.
What is required by the PCI DSS?
The PCI DSS describes 6 broad security objectives which are underpinned by 12 specific requirements:
Objective 1: Build and Maintain a Secure Network
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Objective 2: Protect Cardholder Data
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
Objective 3: Maintain a Vulnerability Management Program
- Requirement 5: Use and regularly update anti-virus software
- Requirement 6: Develop and maintain secure systems and applications
Objective 4: Implement Strong Access Control Measures
- Requirement 7: Restrict access to cardholder data by business need-to-know
- Requirement 8: Assign a unique ID to each person with computer access
- Requirement 9: Restrict physical access to cardholder data
Objective 5: Regularly Monitor and Test Networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes – PCI scan and PCI penetration test
Objective 6: Maintain and Information Security Policy
- Requirement 12: Maintain a policy that addresses information security
What is the difference between performing PCI certified quarterly external network scan and compliance with the DSS?
The DSS is a standard that outlines a number of requirements that all merchants and service providers must comply with. A quarterly network PCI scan is one of the actions that must be taken to fulfill Requirement 11 of the DSS. This PCI scan must be conducted by a PCI certified Authorized Scanning Vendor (ASV) and will result in a PCI scan report indicating whether an organization’s internet-facing resources are properly secured. If the ASV locates serious vulnerabilities on internet-facing systems, then the scanning report will state that the organization is not compliant. The organization will then have to take corrective actions and have their network re-scanned until they are found to be compliant by the ASV.
If I have an ASV conduct an external network scan and no vulnerabilities are found does that mean I am compliant with the PCI DSS?
No, performing a quarterly network PCI scan fulfills only one part of Requirement 11 of the DSS. In order to be PCI DSS compliant you must fulfill all 12 requirements of the DSS, including the other security tests found in Requirement 11.
How will my compliance be checked?
While the PCI Security Standards Council develops and maintains the PCI Data Security Standard it does not attempt to audit or enforce compliance. Each credit card issuer sets their own standards for auditing and reporting compliance. For merchants processing Visa, MasterCard, and American Express credit cards the validation requirements are determined by their merchant level. The merchant level is determined by the number of credit card transactions conducted annually. To determine your merchant level, please review the tables on the merchant level reference page for the specific validation requirements of Visa, MasterCard, and American Express.
If my organization is not a level 1 merchant, does that mean the only requirement I have to fulfill is obtaining a quarterly external network scan?
No, every organization that transmits, stores or processes credit card data must fulfill all of the requirements enumerated by the PCI DSS. While level 1 merchants are currently the only organizations that are required to perform an annual on-site audit to verify PCI DSS compliance, all merchants are expected to implement the PCI DSS requirements in full.
How do I find out if I am PCI DSS compliant?
Level 1 merchants are required to have a PCI certified Qualified Security Assessor (QSA) perform an on-site PCI audit to check their compliance. Other merchants are responsible for becoming PCI DSS compliant and often have to fill out a self assessment questionnaire along with a report on compliance, however they are not currently required to have a full, on-site PCI audit.
If my PCI compliance is not being audited in full, why should I bother implementing the complete PCI DSS?
Implementing the PCI DSS in full is important for both the public relations and financial health of an organization. Failure to comply with PCI DSS can leave an organization liable for fines imposed by the credit card issuer. Many of these fines will start to take effect in the second half of 2007. In addition, in the event of a data security compromise, organizations that do not comply with the PCI DSS can be responsible for all damages and expenses that result from the compromise.
On the plus side, merchants and acquirers who fulfill the PCI DSS requirements may be eligible for financial rewards. For example, Visa has implemented the Visa PCI Compliance Acceleration Program (PCI CAP) which will "offer $20 million in financial incentives and create new sanctions in an effort to further merchant compliance with the Payment Card Industry Data Security Standard (PCI DSS)."
How can Redspin aid in my PCI compliance efforts?
Redspin performs audits for those institutions who have a genuine concern about the security of their infrastructure, including a PCI scan and a PCI penetration test. As an independent auditor (we don't sell IT implementation services or sell hardware or software) our findings are objective and focused on ensuring the most cost-effective path to security - our findings are not clouded by our profit motive to upsell additional services. Institutions striving for PCI DSS compliance can contract Redspin to help fulfill Requirement 11 of the PCI DSS. Requirement 11 enumerates the following actions, any of which can be completed by Redspin:
- Requirement 11.1b: A wireless analyzer is used at least quarterly to identify all wireless devices.
- Requirement 11.2a: Run an internal network vulnerability scan at least quarterly and after any significant change in the network.
- Requirement 11.2b: Contract an ASV to perform an external network vulnerability scan in accordance with the PCI Security Scanning procedures at least quarterly.
What is a network-layer penetration test (Requirement 11.3.1)?
A network-layer PCI penetration test is a security test that attempts to successfully compromise network devices or protections in an organization. These tests are often conducted manually by trained professionals with experience trying to circumvent or compromise security controls.
What is an application-level penetration test (Requirement 11.3.2)?
An application-layer PCI penetration test is a security test that attempts to successfully compromise one or more applications on a network. An application-level PCI penetration test focuses on an evaluation of the application level services that may provide access to the credit card services.
Is Redspin a PCI certified Approved Scanning Vendor (ASV)?
Yes, as of Q2 2007 Redspin is a PCI Certified Approved Scanning Vendor (ASV) which is why we are able to fulfill requirement 11.2b of the PCI DSS.
Is Requirement 11.2b the only part of Requirement 11 that must be completed by an ASV?
Yes, the PCI DSS does not stipulate that the other PCI scans and PCI penetration tests in requirement 11 must be performed by an ASV or QSA. An institution can perform these actions internally or hire an outside consultant to perform them.
If we can handle the internal network scan and penetration testing on our own, why would we hire Redspin to perform it for us?
Some organizations may not have the knowledge or resources necessary to perform their own internal network scans or penetration tests. Also, in the event that a merchant/service provider is forced to prove their compliance to the PCI DSS, either because they are a level 1 merchant or following a data compromise, the scope and quality of the PCI scan and PCI penetration test may come under scrutiny. Redspin will perform a high-quality PCI penetration test that will withstand scrutiny
by credit card issuers and QSAs auditing an organizations compliance.
What is the difference between as ASV and a QSA?
An ASV (Approved Scanning Vendor) is certified by the PCI SSC to perform the quarterly external network scan required by the PCI DSS. A QSA is trained and certified by PCI SSC to perform a comprehensive on-site audit and verify an organizations PCI compliance in full.
Have a question that isn't covered in our FAQ?
Please send it to info@redspin.com and we will find an answer for you and add your question to our frequently asked questions list.
References:
For more information about the PCI DSS and PCI SSC, please visit the PCI SSC
website:
 www.pcisecuritystandards.org
For a more complete description of the DSS and an explanation of the requirements please see the PCI DSS document at the PCI Security Standards website:
www.pcisecuritystandards.org/tech/download_the_pci_dss.htm
To understand how a PCI Data Security Audit is conducted, please consult the PCI DSS Security Audit Procedures Document at the PCI Security Standards website:
www.pcisecuritystandards.org/tech/supporting_documents.htm
|
|
 |
