I’ll kick off my much-delayed series on compliance and regulation with the Payment Card Industry’s Data Security Standard. This highly visible, widely applicable standard applies to any company that processes credit card data. Importantly, the standard was developed by the industry rather than congress. This is in direct contrast to many other industries (such as health care and finance) that are regulated by the federal government.
The standard consists of 12 requirements, each with a number of sub-requirements, ranging from firewall configuration to security policy to ongoing vigilance. There are four tiers of merchants, and slightly different requirements apply depending on the tier. Read on for details and tips.
Roughly defined:
- Tier 1 – More than 6,000,000 transactions per year, or arbitrarily at the discretion of Visa. Requirements:
- Annual On-site PCI Data security assessment
- Approved Scanning Vendor for external vulnerability scans
- Quarterly network scans
- Involvement of a Qualified Security Assessor (a PCI-approved security consultant, essentially)
- Tier 2 – Between 1,000,000 and 6,000,000 transactions per year. Requirements:
- Completion of an annual self-assessment questionnaire (SAQ) (more on this below)
- Quarterly network scans
- Approved Scanning Vendor for external vulnerability scans
- Tier 3 – Between 20,000 and 1,000,000 transactions per yea. Requirements:
- Completion of an annual SAQ
- Quarterly network scans
- Approved Scanning Vendor for external vulnerability scans
- Tier 4 – Less than 20,000 transactions per year. Requirements:
- Completion of an annual SAQ
- Quarterly network scans
- Approved Scanning Vendor for external vulnerability scans
Generally speaking, this is one of the most clearly defined, well executed information security standards. Regulations such as Sarbanes Oxley and HIPAA are vague and subject to interpretation. Although there is some flex in the PCI DSS wording, it is generally very well understood and widely adhered to. Most vendors that process credit cards (and this is a VERY WIDE variety of organizations) are well on the way to compliance.
Want some tips?
- Quarterly scans don’t have to be difficult OR expensive. Use free/cheap software like Nessus and run them yourself, or pay a consultant an hourly rate if you don’t have time.
- Look in to the different versions of the SAQ and decide if a subset of the requirements actually apply to you. If you accept credit card payments but it’s all handled through a third party (like authorized.net), the PCI DSS doesn’t apply to you at all. On the other hand, if the credit card numbers ever touch any of your systems, you have to deal with PCI DSS to some degree.
- Try really hard to limit the scope of the card holder data network (systems and networks where credit card numbers are in use) using network segmentation techniques. Use VLANs and strict ACLs to partition the network. This will limit the applicability of all PCI requirements on parts of the network that don’t ever touch credit card numbers, and simultaneously accomplish network security and performance best practices.
- If you’re a tier 4 vendor that, for example, processes credit card numbers through a small web site, consider moving the responsibility of PCI DSS to an outside vendor. Sites like authorized.net or paypal can efficiently rebrand sites and accept payments for you, removing the expensive compliance burden from your company.
Questions? Need more tips? Let us know in the comments.
![[Slashdot]](/wp-content/plugins/slashdot.ico){kind=small}
![[Digg]](/wp-content/plugins/digg.ico){kind=small}
![[Reddit]](/wp-content/plugins/reddit.ico){kind=small}
![[del.icio.us]](/wp-content/plugins/delicious.gif){kind=small}
![[Technorati]](/wp-content/plugins/technorati.ico){kind=small}
![[StumbleUpon]](/wp-content/plugins/stumbleupon.ico){kind=small}
One Response
February 15th, 2010 at 12:59 pm
[...] PCI DSS (Payment Card Industry Data Security Standard) sets a number of expectations for IT assessment. Activities, from scanning for rogue wireless [...]
Leave a Comment