PCI -DSS

              ‘Security’ as I see it is omnipresent in our lives. We may not have an excessive interest in it or even feel that it is there – but it is intertwined with everything we do.

After you finish paying with a credit card or debit card, remember the bill with the receipt that says “PCI-DSS complaint”?

Well, that is what we are going to be discussing today. Today’s online domain and a cashless way of transacting business have bought more players in the payment industry than yesterday. Cash is no longer considered the only means of payment and credit and debit cards have become the norm for customers making purchases through brick and mortar stores as well through online portals. This in turn has given rise to credit and debit card fraud and ‘fraud management’ has become an important branch of research for vendors and merchants alike. PCI-DSS standards help and prevent credit card and debit card frauds.

PCI-DSS standards help:

1. Financial institutions implement the technologies and security policies to protect card user data.
2. Vendors implement secure payment solutions

This article tries to give brief perspective on PCI-DSS

PCI-DSS:

PCI-DSS or ‘Payment Card Industry – Data Security Standard’ is a set of rules and regulations to help the very vulnerable credit card industry. The present day PCI-DSS is the evolution of different data security programs by the major credit companies  – Visa‘s Cardholder Information Security Program, MasterCard‘s Site Data Protection, American Express‘ Data Security Operating Policy, Discover‘s Information Security and Compliance, and the JCB‘s Data Security Program. It was first launched in 2006 and it has a release once every 3 years. The last release PCI-DSS 3.2 was launched on October 2016.

The PCI-DSS objectives are applicable to all the entities that deal with credit card data – merchants, processors, acquires and issuers.

If you are merchant who deals with card payments, these standards apply to you:

PCI-DSS specifies 12 control objectives to protect card holder data (CHD). The list condenses the objectives of PCI DSS.

The first two objectives relate to building and securing the network.

1. An effective firewall configuration should be used to protect card holder data(CDH)
2. Vendor supplied defaults and passwords should not be used when storing and dealing with CDH

The third and fourth objectives relate to protecting CDH.

3. CDH(Card holder data) must be protected

4. When CDH is transmitted in public, it must be encrypted

The fifth and sixth objectives relate to maintaining a ‘vulnerability management program’

5. Obviously, ‘prevention is better than cure’ – so it is better to maintain anti-virus definitions and keep them up-to-date rather than deal with breaches resulting from negligence later.

6. Continuing with point 5, it is necessary for systems to be maintained in a secure way

The seventh, eighth and ninth objectives are related to access control of CDH

7. CDH must be accessed only by those with a business necessity

8. Each individual accessing the CDH should be provided with a unique ID

9. Physical access to CDH must be restricted

The tenth and eleventh objectives relate to monitoring and testing the networks 

10. All access to CDH data must be monitored

 11. All security systems must be regularly tested

The last objective relates to policy

12. As InfoSec professionals most of us know the importance of a policy.  Policy is always the baseline for most procedures and in this case too an information security policy is needed.

We have seen the various features of PCI-DSS standards. These standards if followed by financial institutions and vendors, will reduce the risk of credit/debit card fraud.

References:

https://www.pcisecuritystandards.org/

I’m taking my blog to the next level with Blogchatter’s My Friend Alexa”