This new series of articles from PCI Hispano will present an overview of each of the standards currently published by the Payment Card Industry Security Standards Council (Payment Card Industry Security Standards Council – PCI SSC) for the protection of the elements involved in the card payment ecosystem. This first article will present the Payment Card Industry Data Security Standard (Payment Card Industry Data Security Standard – PCI DSS).

Introduction

The Payment Card Industry Data Security Standard (Payment Card Industry Data Security Standard – PCI DSS) is a security standard published by PCI SSC and aimed at defining controls for the protection of cardholder data and sensitive authentication data during processing, storage and/or transmission. It is currently in the version 4.0.1 published in June 2024. The standard and its supporting documents can be downloaded directly from the PCI SSC website (Document Library).

Origin

Before the publication of the first version of the PCI DSS standard, each of the payment card brands that are currently part of the PCI SSC had its own security program for the protection of cardholder data:

Each of these programs defined the security controls to be implemented, the entities that had to comply with those controls, the compliance reporting processes and the sanctions and fines in case of non-compliance. However, this implied that if an entity stored, processed and/or transmitted card data belonging to any of these brands then it had to comply with its related security program, which created duplications, inconsistencies and overlaps in the implementation of controls, not counting the bureaucratic burden involved in management and reporting.

Convergence of the security programs of each of the brands in the PCI DSS standard

All this led the payment brands to define a unique standard that met the requirements and expectations of security in a transversal way, avoiding the problems cited above and facilitating a mass adoption in the affected entities. Therefore, the 14 December 2004 version 1.0 of the Payment Card Industry Data Security Standard (Payment Card Industry Data Security Standard – PCI DSS).

In November 2020 China UnionPay (UP) joins as a strategic member of the PCI SSC and October 2022 its logo is included in the PCI DSS v3.2.1 and 4.0 compliance report templates as the sixth payment brand, complementing the five founding members of the PCI SSC.

However, it is important to clarify that with the publication of the PCI DSS standard the security programs of the payment brands did not disappear, since the responsibility in defining the entities that have to comply with the standard, the management of compliance reports, the publication of the lists of certified entities, the actions in case of commitment of card data and the criteria of fines and sanctions continue to be administered by each brand independently through such programs.

What is PCI SSC?

The PCI SSC (Payment Card Industry Security Standards Council) is a forum composed of five of the most important payment brands: Visa Inc., MasterCard, American Express, Discover Financial Services y JCB International. It was founded on 7 September 2006 with the aim of defining security controls oriented towards the protection of payment card data throughout the transactional flow. It is an independent organization that currently manages the lifecycle of card security standards and their associated documents. China UnionPay (UP) Linked to PCI SSC as a strategic member in November 2020.

Strategic pillars of the ICP SSC

Additionally, the PCI SSC is responsible for conducting specific training for advisors, homologation of companies for compliance assessments and related services (such as ASV scans and laboratories), Frequently used questions (FAQ), Standards Promotion Activities to Service Providers (Service Providers), Shops (Merchants), acquirers (Acquirers), issuers (Issuers) and the general public, membership management, annual meetings of members (Community Meetings), as well as the publication and updating of lists of consultants, approved laboratories, etc. A general description of the PCI SSC and its responsibilities can be found in the document «PCI Security Standards Council At-a-Glace.

PCI SSC currently has approximately 800 participating organizations (Participating Organizations) that support different activities within the forum itself.

The organizational structure of the PCI SSC can be consulted at this Location.

Responsibilities

As described above, roles and responsibilities in compliance with the PCI DSS standard can be outlined as follows:

Description of roles and responsibilities in PCI DSS compliance

Applicability

The PCI DSS standard is aimed at protecting cardholder data and/or sensitive authentication data (together referred to as ‘account data’ (account data)), according to the following table:

Components of the "Account Data" concept in PCI DSS

The PCI DSS standard includes requirements that refer specifically to account details (Account Data), , details of cardholders (Cardholder Data) and sensitive authentication data (Sensitive Authentication Data). It is important to note that each of these types of data is different and the terms are not interchangeable. Specific references within the requirements to account data, cardholder data or sensitive authentication data are intentional, and the requirements apply specifically to the type of data referred to in the standard control.

Types of data on a payment card

Likewise, to identify the applicability of PCI DSS in a specific environment, the following criteria must be taken into account (according to version 4.0 of the standard):

  • The PCI DSS requirements apply to all entities with environments in which account data (cardholder data and/or sensitive authentication data) is stored, processed or transmitted, and to entities with environments that may affect the security of that environment. .
  • The Main account number (PAN) is the factor that defines the cardholder's data. Therefore, the term ‘account data’ covers the following:
    • the complete NAP,
    • any other cardholder data element that is present with the NAP; and
    • any element of the sensitive authentication data.
  • If the cardholder's name, service code and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the environment, they should be protected in accordance with the PCI DSS requirements applicable to the cardholder's data.
  • Even if an entity does not store, process, or transmit PAN, some PCI DSS requirements may still apply. Some examples are cloud infrastructure service providers, media storage and destruction, technology management, etc., as they can affect the security of the card data environment even if they do not explicitly process, store or transmit this data. Entities that outsource their payment environments or transactions to third parties remain responsible for ensuring that account data is protected by the third party in accordance with applicable PCI DSS requirements.

It is also important to note that, If there is any conflict between the controls of the standard and any local law, the law will always prevail. A clear example can be found in the implementation of control 9.2.1.1 of PCI DSS v4.0, where it is indicated that the data collected through closed circuit television (CCTV) monitoring or CDE access control mechanisms must be stored at least three months. However, some local data protection laws prevent the retention of this data in the periods indicated by the standard. In that case, the restrictions imposed by local law prevail.

Definition of scope of compliance

PCI DSS requirements apply to:

  • The cardholder data environment (Cardholder Data Environment – CDE), which consists of:
    • System components, persons and processes that store, process and transmit cardholder data and/or sensitive authentication data; and,
    • System components that may not store, process, or transmit CHD/SAD but have unrestricted connectivity to system components that store, process, or transmit CHD/SAD.
  • System components, people and processes that could affect CDE security.

Graphical description of the concepts of CDE (Cardholder Data Environment) and Scope of compliance (Scope) of PCI DSS

Description of PCI DSS standard security controls

The PCI DSS standard has more than 250 physical, logical and administrative security controls schematized in 6 main groups that in turn are subdivided into 12 requirements, as follows:

PCI DSS v4.0 requirements and controls

Entities requiring compliance with the standard

The PCI DSS standard applies to all entities involved in the storage, processing and/or transmission of cardholder data and/or sensitive payment card authentication data, including:

  • Traders (merchants)
  • Processors
  • Acquirers (acquirers)
  • Issuing entities (issuers)
  • Payment Service Providers (service providers) such as payment gateways, licensing centres, etc.

Likewise, those entities that offer services to such environments may be affected by PCI DSS compliance if their services are involved within the PCI DSS compliance environment of any of their customers. Examples include:

  • Managed Service Providers (Managed Service Providers – MSP)
  • Technology infrastructure providers
  • Cloud Service Providers (cloud)
  • Data Center Service Providers (data centers y colocation/housing)
  • Web hosting services (web hosting)
  • Personnel outsourcing services (outsourcing)
  • Physical security services
  • Software development providers
  • Secure destruction services of electronic documentation and/or storage media

In these cases, these entities may elect to undergo assessments at the request of their clients and/or participate in each of their clients' PCI DSS reviews or conduct one or more annual PCI DSS assessments on their own and provide evidence to their clients in order to demonstrate compliance.

Compliance report

Compliance with PCI DSS can be demonstrated in two ways:

  • Employing a self-assessment questionnaire (or Self-assessment Questionnaire – SAQ), or
  • Performing a formal compliance assessment

The criterion for identifying which of the two methods should usually be used is based on the number of annual payment card transactions carried out by the institution. The differences between the SAQ and the formal compliance assessment are analysed below:

Typology of reports to demonstrate compliance with the PCI DSS standard

The validity of these reports (AoC/RoC) is 12 months. At the end of this period, a reassessment and compliance reporting is required based on transactions processed during that year.

Qualified Advisors of PCI DSS (QSA)

The PCI SSC has defined a specific figure for conducting formal PCI DSS compliance assessments: The Qualified Security Advisor (Qualified Security Assessor) or QSA. To achieve this certification, the professional must:

  • Belong to a QSA company (approved by the PCI SSC for conducting PCI DSS assessments).
  • Have several industry recognized security certifications (CISSP, CISM, CISA, GSNA, ISO 27001 Lead Auditor, IRCA, ISMS, CIA)
  • Accept the PCI SSC Professional Liability Code
  • Receive an annual training in PCI DSS (the first time face-to-face and the following times online)
  • Report a series of continuing education credits annually (Continuing Professional Education – CPE)

It is also worth clarifying that there is another figure for the performance of PCI DSS compliance assessments called Internal Security Assessor (ISA). ISA professionals can conduct PCI DSS assessments exclusively to the organization to which they belong.

Only approved QSA and ISA advisors can perform PCI DSS compliance assessments.

What happens if PCI DSS is not met?

As indicated above, compliance with the PCI DSS standard is mandatory, although the applicability of its requirements and the types of assessment or compliance report vary depending on the type of entity.

This standard establishes the minimum bases in terms of security to protect transactions with payment card data, so its non-compliance implies:

  • Limitation by payment card brands, acquiring banks or payment gateways to process transactions from the non-compliant entity.
  • In the case of the occurrence of a security incident affecting card data, the non-compliant entity must bear the full costs arising, including:
    • Costs of claims and compensation to those affected
    • Costs of fraud involving transactions with the cards concerned
    • Renewal costs of the payment cards concerned
    • Fines by payment brands, based on the amount of payment card data involved
    • Legal fines for the use of personal data (in specific cases such as GDPR/GDPR)
    • Costs of forensic investigation by a professional PCI Forensic Investigator (PFI)
    • Costs of implementing post-incident PCI DSS controls
    • Costs arising from image loss to the public

Posted by David Acosta

Qualified Security Assessor (QSA) for PCI DSS, PCI PIN, PCI 3DS, P2PE and PCI TSP. CISSP, CISA, CISM, CRISC, C|EH, C|HFI.

3 Comments

  1. Very good documentation. Very interesting and well explained.

    Reply

  2. Excellent article, my greatest congratulations to the author

    Reply

  3. EXCELLENT INFORMATION, NOW IF I'M CLEAR

    Reply

Leave to Reply