If you receive errors when attempting to view this white paper, please install the latest version of
Adobe Reader.
Understanding the PCI Data Security Standard
Data Security is also known as :
Data Security Architecture,
Data Security Articles,
Data Security Audit,
Data Security Breaches,
Data Security Companies,
Data Security Compliance,
Data Security Concerns,
Data Security Coordinator,
Data Security Definition,
Data Security Experts,
Data Security Handbook,
Data Security Incident,
Data Security Incorporated,
Data Security Issues,
Data Security Law,
Data Security Market,
Data Security Methods,
Data Security Model,
Data Security Monitoring,
Data Security News,
Data Security Overview,
Data Security Policy,
Data Security Privacy,
Data Security Problems,
Data Security Products,
Data Security Program,
Data Security Protocols,
Data Security Questions,
Data Security Regulations,
Data Security Report,
Data Security Requirements,
Data Security Risk,
Data Security Services,
Data Security Software,
Data Security Solution,
Data Security Specialist,
Data Security Standards,
Data Security Statement,
Data Security Statistics,
Data Security Systems,
Data Security Techniques,
Data Security Technologies,
Data Security Threats.
The How and Why of PCI
Understanding the PCI Data Security standard
Managing and mandating payment card data security falls under the purview of an independent industry council whose
original members included American Express, MasterCard Worldwide, Visa International, JCB and Discover Financial Services.
This group is properly known as the Payment Card Industry Security Standards Council, or PCI SSC. Its primary responsibility
is the formulation and maintenance of a set of standards called the
Payment Card Industry Data Security Standard (PCI DSS). In addition to credit and debit cards,
prepaid, e-purse,
automated teller machine (ATM) and
point-of-sale (POS) cards are all subject to these standards.
In its own words, the PCI Security Standards Council describes itself as "an open global forum for the
ongoing development, enhancement, storage, dissemination and implementation of security standards for account data
protection."
Throughout most of the developed world, and especially within the United States, Canada, Japan and the European
Union, legal mandates make organizations that handle payment information legally and financially responsible for
protecting its owners' privacy and confidentiality. These organizations are also liable for financial losses that
may be incurred through accidental or unauthorized disclosure of or access to such information by third parties.
In simple terms, the PCI SSC seeks to ensure that processing of payments is secure, with special emphasis on
electronic payments over the Internet. That's because the information that consumers or cardholders produce to make
legitimate payments is susceptible to abuse. In addition to protecting cardholder data online, merchants and payment
processing companies must also protect that data where it's stored as long as the information remains current and valid.
They must also ensure that such information is not accessible to any unauthorized parties when that data is transported
across the Internet.
Understanding the PCI Data Security Standard
The PCI DSS is designed to define a comprehensive set of requirements to enhance and enforce payment account data
security. As such, the PCI DSS covers a broad range of topics, tools, processes and procedures. Requirements within
the PCI DSS include security management, policies, procedures, network architectures, software design and other
protective measures. This standard is designed to provide proactive rather than passive protection.
The PCI Security Standards Council documents 12 specific requirements spread across six distinct security principles.
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
In the following sections we explore and explain the PCI DSS's relationship to secure payment processing and related
data security topics, along with related requirements.
Build and Maintain a Secure Network
In moving from consumers' computers to e-commerce sites on the Internet, data traverses many networks and passes
through numerous devices that speed that data from its sender to its intended receiver. At any point on this long and
potentially hazardous path, third parties can intercept and inspect the contents of the transmissions on their networks.
This establishes a need to encrypt all sensitive information-a designation for which payment and account information is
tailor-made-to prevent third parties from understanding or interpreting the information while it's in transit. It's
typical to see a lock icon somewhere in a Web browser window whenever secure communications are active; most e-commerce
uses a secure interface called the Secure Sockets Layer, or SSL, and displays that lock to let users know their
communications are safe from prying eyes.
At the network level, there's a lot more involved in providing security besides ensuring the integrity and
confidentiality of data communications. For the PCI DSS, secure network requirements aim primarily to prevent
unauthorized outsiders from accessing a merchant's or payment processor's network through its Internet boundary,
or network periphery. A firewall is a special kind of traffic cop that sits on the boundary between the public (outside)
and private (inside) network elements and inspects and manages all traffic that crosses this boundary. This particular
requirement seeks to ensure that only authorized traffic is permitted across the boundary and to block any and all illicit
or unauthorized attempts to gain entry or information about the private side of the Internet interface. It's also necessary
to log all firewall configuration changes so that those responsible for making changes can be identified and held responsible
for their actions should errors or malfeasance occur.
The second PCI DSS requirement for securing a network may have tragic consequences if overlooked or ignored.
Whenever firewalls, routers, servers and other networking devices leave their makers' factories, they're set up to
use well-known account names, passwords and other security data. Such defaults must be changed, preferably with the
use of strong passwords, if not multi-factor authentication tools or servers to make sure these devices are safe from
interlopers.
When it comes to merchant and especially payment processing services, many of which get licensed to Web site hosting
companies, business, corporations and other legal entities, it's not unusual for such capabilities to be offered as a
Software as a Service (SaaS). Companies that provide SaaS typically handle payment processing
services for large numbers of customers. Consequently their network security arrangements, which include various forms of
intrusion detection and prevention in addition to firewalls, routinely exceed base-level requirements established in the
PCI DSS. Most payment networks operate in total isolation from other networks to add more protection and separate access
control.
When security configuration data is called "well-known," that's a polite way of saying th at
everybody knows it , including the bad guys.
Protect Cardholder Data
From a security perspective, data needs protection at all times. But security considerations, technologies and solutions
vary for data that's in motion (moving between sender and receiver) versus data that's at
rest (sitting in a file or database). Thus, the PCI DSS requirements for protecting cardholder data distinguish
between "protect stored cardholder data" and "encrypt transmission of cardholder data across open,
public networks" (that is, the Internet).
When it comes to protecting stored information, encryption may or may not be involved. The PCI DSS does not require
it except for account details, user authentication information, cryptographic keys and so forth. However, encryption
often serves to protect such information from theft or unauthorized access. What is required is a well-defined set of
access controls and rules that govern who may or may not access such information. Likewise, generation and disposition
of copies, including backups, needs to be carefully monitored and controlled. The basic notion here is "eyes-only"
access control, so that only those with a legitimate, business-based need to know will be permitted to access and use this
storage and the information it contains. The PCI DSS is subject to extreme levels of storage security and levies special
considerations for card verification codes, values and
personal identification number (PIN) data. Related policies and procedures must
address legal, regulatory and business requirements for data retention and also institute proper disposal of
data when no longer needed.
When cardholder information is in motion, the PCI DSS requires use of strong cryptographic keys to protect it.
Such keys must be changed regularly, and keys must be carefully managed to include split knowledge and dual control
mechanisms. Individuals authorized to work with keys are also required to sign a form that stipulates they understand
and accept their key-custodian responsibilities.
For data in motion, the PCI DSS mandates use of strong cryptography and security protocols such as SSL,
Transport Layer Security (TLS) or IP Security (IPSec) to safeguard sensitive cardholder data
whenever it moves across the Internet. This also applies to wireless, cellular and packet radio networks.
For merchant and payment processing operations, including SaaS offerings, encryption technology is the cornerstone for
the software and services they provide to customers. Key length and strength, encryption protocols and key management
controls routinely use the best and or strongest technologies commercially available and normally exceed PCI DSS base-level
requirements.
Maintain a Vulnerability Management Program
Basically, maintaining a vulnerability management program requires organizations to recognize and pre-empt known
potential sources of trouble and also take proactive steps to head off as-yet unknown sources. One major thrust is to
deploy and use anti-malware systems, and keep them current and active, to protect against viruses, spyware, rootkits
and so forth. Such coverage applies to all systems related to processing payments or handling customer data. Audit logs
or trails are also necessary to provide ongoing proof that anti-malware tools are in place, current and working as
promised.
The other side of this equation is making sure that all systems and applications related to payment processing, or
handling customer data, are safe and secure. This involves testing and auditing of in-house applications and custom code
to determine that they:
- Provide proper encryption.
- Enforce authentication and access controls.
- Are not subject to security vulnerabilities or exposures that might lead to unauthorized or accidental disclosure
of customer data.
Along with formal security testing and external audits, systems and application security also require formal change
control. Code changes, especially for Web applications, are reviewed and vetted to ensure they meet secure coding
guidelines, like those in the Open Web Security Project Guide. A change control process also ensures that appropriate
corrections or remedies are applied prior to public code release. The standards enumerate a large number of well-known
Web programming flaws, problems and issues, against which developers are specifically enjoined, and which testing must
address directly.
Nowadays where merchant activity and payment processing is involved (including SaaS providers) stringent code reviews
and pre-release security testing and review is the norm. Given the enormous potential liability involved in allowing
vulnerable code to go into widespread use, service providers will allocate budget and effort to ensure their offerings
are secure. They also take extraordinary measures to remediate and repair any vulnerabilities or exposures as may be
discovered after going "live."
Implement Strong Access Control Measures
Access controls govern who may access what information and which kinds of operations they can perform. The PCI DSS
embraces the principle of least privilege, which stipulates that no program or user be allowed access to more information
than is needed to conduct transactions or to accomplish specific, well-defined job tasks.
Managing access control is the heart and soul of data security, and the PCI DSS devotes significant care and attention
to this fundamental security principle in its standard.
The PCI DSS standard calls this principle "business need-to-know." It limits access to system components,
cardholders, developers and administrative personnel, and only to information they need to conduct authorized transactions
or interactions. The PCI DSS also stipulates that assignment of access privilege be based on job classification or function
(aka "role-based access control," or RBAC). Authorization forms are required for global or administrative access:
Not only do they specify required privileges, and require management sign-off, use of such access is stringently monitored
and logged.
Any individual who accesses payment information or related systems must use a unique, clearly identifiable online
identity. The idea is to identify all system users unambiguously and, when necessary, to audit and track their activities.
Likewise, access to actual cardholder data is severely restricted, available only to those with a legitimate need to know
and a job role that justifies such access.
Finally, the PCI DSS requires that organizations restrict access to cardholder data. Essentially, this requires checking
that access controls enable only authorized parties and systems to access such data, and then only when it's in keeping with
tasks or roles that won't work properly without sufficient access. All other access to cardholder data must be denied,
period.
For payment processing and merchant sites, SaaS providers generally serve a global audience. Because the sum total
of the governing body of law, regulation and best practices is more stringent and demanding in the aggregate than
individual standards-including the PCI DSS-you can count on service providers to comply with the superset of all
such standards taken together.
Managing access control is the heart and soul of data security, and the PCI DSS devotes significant
care and attention to this fundamental security principle in its standard.
Regularly Monitor and Test Networks
No security regime is worth much without periodic monitoring and testing. It's a well-accepted security principle
that ongoing monitoring helps organizations keep up with current conditions, and gives them an important opportunity
to look for signs of exposure or potential compromise. Likewise, the only way to be sure a network is secure is to test
its security using a battery of scans and activities to probe all its defenses, and to check compliance with applicable
rules, regulations, standards and best practices. Every element in the PCI DSS includes detailed testing procedures that
explain what must be checked, what should be found and what kinds of defaults must be in place.
Specific requirements related to this principle essentially outline best monitoring and testing practices in
information security. Accountability dictates that all access to network resources and cardholder data be tracked,
and must be logged for subsequent auditing and review. A wide variety of tools and techniques are employed to conduct
such testing. The well-known and well-documented security discipline known as "penetration testing" comes
into play, as highly trained outside consultants or testing organizations probe and seek to break through perimeter,
software and physical defenses. This effort involves testing humans to ensure they:
- Comply with security guidelines and don't disclose information they should not.
- Respond properly to unauthorized queries for information, such as requests for passwords or logins by phone,
when company policy requires these be delivered only in writing, for example.
Technical tools, such as wireless network analyzers, protocol analyzers and/or intrusion detection systems, must
also be used to look for unauthorized devices or evidence of potential network attack.
Most commercial service providers take monitoring and testing very seriously, to the point of hiring professional
security and penetration testing experts to audit and probe their networks, systems and staff. Such testing ensures
that all known attacks and exposures are addressed and blocked, or mitigated; it also provides an opportunity to verify
that staff and contractors understand and follow security policy dictates. Service providers not only practice strong
security, they often preach it to their customers as well.
E mail Encryption Service: MessageLabs offers both a Policy Based and an End-to-End Boundary Encryption
service, providing a suit e of secure Email Encryption and privacy solutions to fit your business needs . Learn more
at http://www.messagelabs.com/products/email_encryption_privacy.
E mail Anti -Virus Protection: MessageLabs host ed Email Anti -Virus Service protects your business
from known and unknown email viruses. Learn more at http://www.messagelabs.com/products/email/anti_virus.aspx.
Maintain an Information Security Policy
Any student of information security knows that security policy is what guides, drives and informs actual security
practices and procedures, and the choices of tools and technologies used in its implementation. Careful formulation
of security policy is an important first step in establishing security.
Likewise, regular audits of the security environment, and periodic security tests for systems and networks, make
sure things work as they should. Audits also provide opportunities to detect and correct potential problems. These
activities provide an essential recurring opportunity to ensure that policy and implementation agree with one another
in all important respects, and to adjust one or the other to comply with prevailing regulations, laws and best practices
as circumstances dictate.
While PCI DSS doesn't dictate security policy, its principles and requirements have a profound impact on security
policy. This is especially true for organizations adopting PCI that don't yet have a formal security policy, or for
organizations for which adopting PCI means changes to the current security policy.
Most commercial service providers will permit inspection of their security policy library upon request, either
from current or prospective clients. Careful examination of those documents will reveal that PCI compliance in such
documents is both thorough and complete.
>StanFor more information, visit the PCI SSC PIN Entry Devices page
at www.pcisecuritystandards.org/security_standards/ped.
Other PCI standards
The PCI Security Standards Council offers two other standards to its constituents. These include standards for:
- PIN entry devices (PEDs), defining which kinds of PED and POS devices comply with the PCI DSS
- Addressing hardware security modules and unattended payment terminals that some retail operations deploy on
their premises
Such devices are subject to scrutiny from a variety of PCI Recognized Test and Certification laboratories, whose
seal of approval is usually required to meet PCI requirements for their safe use. Because this subject matter is
outside the scope of this paper, we mention it only in passing.
Another important standard in the PCI collection is the Payment Application Data Security Standard, or PA-DSS.
It seeks to help software vendors and other interested parties develop secure payment applications that comply with
PCI DSS stipulations for secure data handling and storage. Payment applications that are sold, distributed or licensed
to third parties are subject to this standard and its requirements. Organizations that license or acquire payment
processing software or services should perform due diligence to ensure what they pay for complies with this standard.
What's of potential interest to readers about PA-DSS is that the council maintains a list of validated payment
applications that comply with PA-DSS. At this writing, 184 vendors and 358 payment applications appear on this list
including credit management, enterprise resource planning (ERP) and public-sector—specific
applications. The PCI Security Standards Council has also created a formal infrastructure around this program where
Qualified Security Assessors (QSAs) can establish their competence and become credentialed to
assess payment applications for security and PA-DSS compliance.
Costs and benefits of PCI compliance
Though costs are involved in formulating security policy, as well as in establishing, maintaining and testing compliance
with the PCI DSS (with or without PA-DSS systems or software in that picture), for most merchants, financial institutions
and payment processors, the benefits far outweigh those costs. First and foremost, PCI DSS helps mitigate and contain risk,
and limits unwanted and unexpected exposures to reputation and financial health from unauthorized disclosure of customer
payment and account information. Second, adherence to PCI DSS helps organizations avoid legal and financial liabilities
for compliance failures, which can result in fines, penalties and assessed financial damages.
A proactive approach to PCI presents an excellent opportunity for organizations to get their security acts together
and to establish a safe, secure haven in which their customers can conduct commerce and do business. It helps organizations
up their ante on customer service and support, and provides assurances that sensitive information, privacy and
confidentiality are preserved and protected. For savvy organizations, PCI compliance provides an opportunity to grow new
business and offer new services to their customer base.
About MessageLabs | Now part of Symantec
MessageLabs, now part of Symantec, is the world's leading provider of hosted services for securing and managing email,
web, and IM traffic (or communications). Over 21,000 organizations and over 9 million end users in 99 countries employ
MessageLabs services to protect against viruses, spam, phishing, inappropriate Internet use, spyware and other business
damaging threats.
For more information on MessageLabs, now a part of Symantec and how we can assist your firm in meeting the PCI DSS
contact us at (866) 460-0000 or visit us at
www.messagelabs.com.