Payment Card Industry
Data Security Standard (PCI DSS)
By
Roni Argetsinger
rargetsinger@dmdiocese.org
515-237-5007
Members of the PCI Security Standards
Council Include: American Express,
Discover, JCB, MasterCard & Visa.
Does your organization accept payment
or gifts via credit cards? Then you
MUST meet some form of PCI DSS
Compliance
Prioritized Approach
Help stakeholders understand where
they can act to reduce risk.
*No single milestone in the Prioritized
Approach will provide comprehensive
security or PCI DSS Compliance, but
following it’s guidelines will help
stakeholders to expedite the process of
securing cardholder data.
Prioritized Approach
Provides six security milestones that will help
merchants & other organizations
incrementally protect against the hightest risk
factors & escalating threats while on the road
to PCI DSS Compliance.
* To achieve PCI DSS compliance, an
organization must meet all PCI DSS
requirements.
Prioritized Approach Milestones
1: Goal: Remove sensitive authentication data
and limit data retention.
2: Goal: Protect systems & networks, and be
prepared to respond to a system breach.
3: Goal: Secure payment card applications.
4: Goal: Monitor and control access to your
systems.
5: Goal: Protect stored cardholder data.
6: Goal: Finalize remaining compliance efforts,
and ensure all controls are in place.
•
•
•
•
PCI DSS Requirements
There are twelve requirements.
Each requirement has sub-requirements
that need to be met to fulfill the
requirement.
The Prioritized Approach maps out which
sub-requirements should have a higher
priority than others.
Note: Counting all sub-requirements, there
are a total of 229 items that need to be met
(depending upon which type of merchant
you are!)
1.
PCI DSS Requirements
Install and maintain a firewall
configuration to protect cardholder data.
2.
Do not use vendor-supplied defaults for
system passwords and other security
parameters
3.
Protect stored cardholder data
4.
Encrypt transmission of cardholder data
across open, public networks.
5.
PCI DSS Requirements
Use and regularly update anti-virus
software or programs.
6.
Develop and maintain secure systems and
applications.
7.
Restrict access to cardholder data by
business need to know.
8.
Assign a unique ID to each person with
computer access.
9.
PCI DSS Requirements
Restrict physical access to cardholder data.
10.
Track and monitor all access to network
resources and cardholder data.
11.
Regularly test security systems and
processes.
12.
Maintain a policy that addresses
information security for all personnel.
Self Assessment Questionnaire
SAQ: Validation tool intended to assist
merchants & service providers in self-evaluating
their compliance with PCI DSS. There are
multiple versions of the SAQ to meet various
scenarios.
The SAQ Validation tool is for merchants &
service providers not required to submit an onsite
data security assessment Report on Compliance
(ROC).
•
Keep in mind: Compensating Controls = may be considered for most PCI
DSS requirements where an organization can not meet the technical
specification of a requirement, but has sufficiently mitigated the
associated risk through alternative controls.
SAQ Form(s)
A = Card not present (eCommerce). All
cardholder data functions outsourced (13 pages)
B = Imprint only – no electronic cardholder data
storage, or stand-alone dial out terminal
merchants with no electronic cardholder data
storage (18 pages)
C-VT = Merchants using only web based virtual
terminals – no electronic cardholder data storage
(26 pages)
SAQ Form(s)
C = Merchants with payment application
systems connected to the internet, no
electronic cardholder data storage (40 pages)
D = All Others
•
I.E. More pages = more questions = more requirements to satisfy!
www.pcisecuritystandards.org