Payment Card Industry Data Security Standard (PCI DSS) is an information security standard to prevent credit card fraud and protect against numerous additional security threats & vulnerabilities.
Credit/Debit card providers such as MasterCard and Visa etc. implement the mechanism and security controls specified and suggested in the PCI DSS. The entities that store, process and transmit the card information also comply with PCI DSS. The latest version, PCI DSS 3.2, was released in April 2016.
PCI SSC
PCI SSC (Payment Card Industry Security Standards Council) is a governing body established in September 2006 as a joint venture by MasterCard, American Express, Visa, JCB International and Discover Financial Services. It holds the mandate of managing the development and alignment of the company’s policies to PCI DSS.
PCI DSS Requirements
PCI DSS requirements are applicable to all the system entities and components which have involvement in CDE (Cardholder Data Environment) for example users, process workflows, network/system devices that store, process and transmit cardholder or authentication data. PCI Data Security Standard stipulates twelve requirements for compliance which includes further sub-requirements. Each requirement and sub-requirement are further defined into 3 parts.
- Requirement Statement/Description: It describes the high level requirement. PCI DSS compliance is validated against these requirements.
- Testing Procedures: It defines the methods to be followed by the evaluator to validate that the requirement has been implemented.
- Guidance: It illustrates the main fundamental objective of the requirement. It may also contain the helping material in contribution to the proper thoughtfulness of the requirement.
PCI DSS Compliance Validation
PCI DSS requirements, security assessment, and corresponding testing procedures jointly act as a security assessment tool which is used for compliance validation. Compliance validation deals with the assessment and verification of the correct implementation of security controls, procedures and policies as per the requirements of PCI DSS. The following entities are important components of a PCI DSS assessment.
1. Qualified Security Assessor (QSA)
The terminology QSA (Qualified Security Assessor) is used for autonomous or self-governing security organizations that are certified by PCI SSC to validate and endorse the implementation and compliance of PCI DSS requirements within organization workflows. This certification only designates that a QSA has addressed all the respective requirements which are compulsory to carry out PCI DSS assessments. PCI SSC maintains a very detailed program for organizations to certify for QSA certification, which is valid for one year, and the organizations have to annually renew the QSA certification by addressing the requalification requirements.
The requirements for QSA certification not only involve the company itself but also its employees. The employees of the QSA organization are referred as QSA employees. PCI SSC enlists the QSAs on their website, which is updated on regular basis. The certification process starting from application submission to the award of QSA certification takes approximately three months. It is always recommended for clients to check the QSA companies list from the website before signing a contract for PCI DSS assessment. The high-level qualification requirements are as follows.
- The QSA certification seeking organization should apply as a firm for qualification.
- The necessary documentation for the certification should be provided as enlisted in “Qualification Requirements for Qualified Security Assessors”.
- Individual employees must also be qualified via testing and training to carry out validation assessments.
- QSA companies must execute an agreement with the PCI Security Standards Council governing performance.
2. Internal Security Assessor (ISA)
Internal Security Assessor (ISA) is targeted for internal employees of an organization who receive a certification from PCI SSC for internal use in the company. The main aim of ISA certification is to assist Level 2 merchants for the compliance validation assessments. The ISA certification enables an employee to carry out an internal assessment of their organization and suggest/commend security controls and solutions related to PCI DSS compliance. As the ISAs are supported by the company for the PCI SSC certification, they are responsible for cooperation and dealing with QSAs. The core advantages of certifying employees with ISA certification are:
- Employees get a clear understanding of PCI DSS and its correct implementation in their companies to protect client data and the business.
- Define the processes involved in card processing and network segmentation.
- ISAs assist their organizations in developing the internal expertise and assess its compliance with PCI Standards.
- Augmentation of data/information security for payment cards and efficiently manage the costs of compliance.
3. Report on Compliance (ROC)
ROC form is used for the verification that the merchant/client who was in the audit phase and has achieved compliance with PCI DSS. ROC affirms that the organization has developed and correctly implemented the procedures and policies for the protection of card-based transactions and protects cardholders against fraud etc. Instructions and content for the ROC are provided in the “ROC Reporting Template” available on the website of PCI SSC.
The ROC form must be completed by all Level 1 Visa merchants (processing at least 6 million transactions per year). The audit/assessment is carried by a QSA who is also responsible for filling the ROC form. The filled form is submitted to the merchant’s acquiring bank which further passes the approved ROC to Visa for final compliance validation approval.
4. Self-Assessment Questionnaire (SAQ)
SAQ is a set of questions that banks require their service providers and merchants to fill and submit on yearly basis. The SAQ is answered on the basis of the PCI DSS self-assessment that was carried out internally. The SAQ questions have to be answered with yes or no option. If a question has the answer “no”, then the organization must provide its respective implementation in future. SAQ normally consists of two components:
- A set of questions corresponding to the PCI Data Security Standard requirements designed for service providers and merchants.
- An Attestation of Compliance or certification that you are eligible to perform and have performed the appropriate self-assessment.
Key Management and PCI DSS Compliance Validation
Key management plays an important role in ensuring the security mechanisms of cryptographic protocols/applications for protecting cardholder data. With the increase in deployment and evolution of cryptographic mechanisms implemented in information systems, key management consistently emerges as the main challenge.
The furthermost interesting challenge of key management in enterprise deployments is the key life-cycle, which incorporates generation & protection (accidental and intentional attacks by restraining physically/logically access) of keys, the practice of authentication, revocation, and erasure etc. PCI DSS has requirements for key life-cycle management and strong cryptography as under:
Requirement 3.5 - Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse.
Requirement 3.6 - Fully document and implement all key management processes and procedures for cryptographic keys used for encryption of cardholder data.
The company seeking for PCI DSS compliance should incorporate standardized key management procedures and policies so that it should get certified in a PCI DSS assessment.
References
- Selected articles on Key Management (2012-today) by Ashiq JA, Chris Allen, Guillaume Forget, James H. Reinholm, Martin Eriksen and more
- Selected articles on PCI DSS (2012-today) by Ashiq JA, Asim Mehmood, Guillaume Forget, James H. Reinholm, Martin Eriksen, Stefan Hansen and more
- EMV Key Management – Explained
- Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2 (April 2016), by the PCI Security Standards Council LLC
- PCI DSS 3.2 Resource Guide (2016), by the PCI Security Standards Council LLC