PCI DSS v 3.2.1 Requirements- an overview
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data.
PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
There are two types of Data available for an account such as Card holder data and sensitive authentication data.
Card Holder Data:
- Primary Account Number
- Cardholder Name
- Expiration Date
- Service Code
Sensitive Authentication Data:
- Full track data, Magnetic stripe data or chip data
- CAV2/CVC2/CVV2/CID
- PINs/PIN Blocks
PCI DSS requirements apply to organizations where account data (cardholder data and/or sensitive authentication data) is stored, processed or transmitted. Some PCI DSS requirements may also be applicable to organizations that have outsourced their payment operations or management of their CDE. Additionally, organizations that outsource their CDE or payment operations to third parties are responsible for ensuring that the account data is protected by the third party per the applicable PCI DSS requirements.
Detailed PCI DSS Requirements and Security Assessment Procedures:
The detailed PCI DSS requirements are made of basic 12 no of requirements under various headings as mentioned below. There are more controls under the requirements which can further be referred from the guidelines document itself.
Build and Maintain a Secure Network and Systems:
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data:
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program:
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.
Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control Measures:
Requirement 7: Restrict access to cardholder data by business need to know.
Requirement 8: Identify and authenticate access to system components.
Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks:
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Maintain an Information Security Policy:
Requirement 12: Maintain a policy that addresses information security for all personnel.
Apart from above there is additional requirements mentioned in three appendixes as mentioned below:
- Appendix A1: Additional PCI DSS Requirements for Shared Hosting Providers.
- Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS for Card-Present POS POI terminal connections.
- Appendix A3: Designated Entities Supplemental Validation.
This content is freely available at Public space within the document available at PCI DSS website for download. I have just summarized the controls and requirement on briefly for basic understanding only.
https://www.pcisecuritystandards.org/
Thanks
-DR
