PCI DSS – Frequently Asked Questions (FAQ)

What is PCI?
Answer: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure all companies that Process, Store or Transmit credit card information maintain a secure environment and protect card holder Data.

What does PCI mean?
Answer: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that Process, Store or Transmit credit card information maintain a secure environment and protect card holder Data.

What does PCI DSS security standards means?
Answer: The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. The Payment Card Industry Security Standards Council (PCI SSC) was launched in 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.)

What are the Payment Card Industry (PCI DSS) Requirements?
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security

Who manages PCI?
Answer: The Payment Card Industry Security Standards Council (PCI SSC) was launched in 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).

What are the steps for PCI DSS Certification?
Answer:

Step 1- Agreement-NDA/Scope Defining
Step 2- PCI GAP Assessment
Step 3- Remediation Plan and Support
Step 4- Onsite Assessment
Step 5- PCI Certification and Continued Support.

What is PCI DSS Compliance? Does the PCI Security Standards Council enforce compliance?
Answer: The PCI Data Security Compliance represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. It was launched to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI Security Standards Council does not enforce compliance programs. The individual participating payment brands will separately determine what entities must be compliant, including any brand-specific enforcement programs

What is defined as ‘cardholder data’?
Answer: Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.

What is the definition of ‘merchant’?
Answer: For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers

What constitutes a Service Provider?
Answer: Any company that stores, processes, or transmits cardholder data on behalf of another entity is defined to be a Service Provider by the Payment Card Industry (PCI) guidelines.

Do organisations using third-party processors have to be PCI Compliant?
Answer: Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI.

What constitutes a payment application?
Answer: What constitutes a payment application as it relates to PCI Compliance? The term payment application has a very broad meaning in PCI. A payment application is anything that stores, processes, or transmits card data electronically. Therefore any piece of software that has been designed to touch credit card data is considered a payment application.

Are debit card transactions in scope for PCI?
Answer: In-scope cards include any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC – American Express, Discover, JCB, MasterCard, and Visa International.

How to secure credit card Data by achieving PCI Compliance?
Answer: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that Process, Store or Transmit credit card information maintain a secure environment and protect card holder Data. By adhering to these requirements PCI Compliance can be achieved.

What could happen to my organisation if we fail to implement or adhere to the PCI Data Security Standard?
Answer: Failure to comply or adhere to the PCI standard may result in fines, restrictions, or permanent expulsion from card acceptance programs.

What is PA-DSS?
Answer: PA-DSS refers to Payment Application Data Security Standard maintained by the PCI Security Standards Council. The Payment Card Industry Security Standards Council (PCI SSC) will maintain the PA-DSS and administer a program to validate payment applications’ compliance against this standard.

What is an Approved Scanning Vendor (ASV)?
Answer: Approved Scanning Vendors (ASVs) are organizations that validate adherence to certain DSS requirements by performing vulnerability scans of Internet facing environments of merchants and service providers. The Council has approved more than 130 ASVs.

Is Application Penetration testing part of Penetration Testing in PCI DSS?
Answer: Penetration testing should include network application layer testing as well as controls and processes around the networks and Applications, and should occur from both outside the network trying to come in (external testing) and from inside the network.

What is meant by “adequate network segmentation” in the PCI DSS?
Answer: Through PCI network segmentation the main aim is to reduce the scope (and therefore the complexity) of card-processing networks. It follows the commonly used strategy of minimization. Store very less sensitive data in as few locations as possible and allow access to those who absolutely need it.

How to secure payment Systems or account data?
Answer: Security of payment systems or account data is the responsibility of every business that participates in payment processing. Single industry-level security standards supported by the members of the PCI Security Standards Council eliminates competing and overlapping brand-specific requirements, thereby simplifying compliance for businesses that store payment account data.

Do I need vulnerability scanning to validate compliance?
Answer: If you electronically store cardholder data post authorization or if your processing systems have any internet connectivity, a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required.

Does PCI DSS address penetration testing differ from the external and internal vulnerability assessments? Who performs penetration testing?
Answer: Vulnerability assessment simply identifies and reports noted vulnerabilities, whereas a penetration test attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing should include network and application layer testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network. The PCI DSS does not require that a QSA or ASV perform the penetration test-it may be performed by either a qualified internal resource or a qualified third party.

What should I do if I’m compromised?
Answer: We recommend following the procedures outlined in Visa’s” What to Do If Compromised
Visa Fraud Control and Investigations Procedures” document.
Click on the link below.
Contact: Stickman Consulting:https://www.stickman.com.au/
Or go directly to the Visa website
http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf

What is the link for the Payment Card Industry Security Standards (PCI SSC) Website?
Answer: https://www.pcisecuritystandards.org/index.php

Companies who made the smart decision to be safe, secure and compliant with Stickman