What is PCI-DSS?
It stands for Payment Card Industry Data Security Standard.
It is an information security standard for organizations that store or process credit or debit card details.
It enhances a cardholder’s data security.
All businesses regardless of size must follow PCI DSS requirements if they accept credit card payments from the five major brands –MasterCard, Visa, JCB, American Express, Discover (PCI Council)
PA-DSS is Payment Applications – Data Security Standard.
PCI-PTS is Payment Card Industry – PIN transaction Security.
PCI Compliance Certification is valid for one year only.
PCI-DSS self-assessment should be done annually.
6 Principles and 12 Requirements of PCI-DSS
1. Build and maintain a secure network
Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
2. Protect Cardholder Data
Protect stored cardholder data.
Encrypt transmission of cardholder data across open/public networks.
3. Maintain a vulnerability management program
Use and regularly update anti-virus software or programs.
Develop and maintain secure systems and applications.
4. Implement strong access control measures
Restrict access to cardholder data by business' need to know.
Assign a unique ID to each person with computer access.
Restrict physical access to cardholder data.
5. Regularly monitor and test networks
Track and monitor all the accesses to the network resources and cardholder data.
Regularly test secure networks and processes.
6. Maintain an information security policy
Maintain a policy that addresses information security for employees and contractors.
Entities in the Payment Ecosystem
1. Cardholder
2. Issuer/Issuing Bank (Bank of cardholder/user)
3. Merchant
4. Acquirer (Bank which pays the merchant)
5. Payment Brands (Transfer data between the issuing bank and merchant)
Merchant Levels
Level 1: Minimum 6 million transactions per year
Level 2: 1.5 – 6 million transactions per year
Level 3: 20k – 1.5 million transactions per year
Level 4: < 20k transactions per year
QSA: Qualified Security Assessor reviews the merchant
SAQ: Self-Assessment Questionnaire (Filled Annually)
NSS: Network Security Scan (Quarterly)
Keywords:
Entry-level: PCI-DSS requirements, Cardholder data environment, PCI-DSS compliance levels, Self-Assessment Questionnaires (SAQs), PCI-DSS testing procedures
Mid-level: PCI-DSS in cloud environments, Point-to-Point Encryption (P2PE), Tokenization in PCI-DSS, PCI Software Security Framework, PCI-DSS compliance automation
About Abhishek Kalavadiya
“Welcome to my learning hub! I'm Abhishek Kalavdiya, passionate about simplifying complex concepts of Information security and Cyber Security for Learning.
Here, you'll find a curated collection of blogs, notes, and resources designed to help you succeed academically and professionally. Explore, learn, and grow with me!”