The Payment Card Industry Data Security Standards (PCI DSS), with its over 200 requirements, can seem like a daunting set of regulations. Nonetheless, if your organization handles any kind of credit card information, you must be PCI DSS compliant. As difficult as this can seem, you can get expert help with our new eBook: Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS Compliance.

Below is a preview of this whitepaper. To get your own copy of this whitepaper, fill out the form to the right.

The Basics

Let’s start with the basics.

What is PCI?

PCI stands for the Payment Card Industry, denoting the debit, credit, pre-paid, e-purse, ATM and POS (Point of Sale) terminal and associated businesses.

But PCI is specifically referring to the Payment Card Industry Security Standards Council (PCI-SSC), a council formed by:

  • MasterCard
  • Visa
  • American Express
  • Discover
  • JCB


eBook: Demystifying PCI DSS

  •  

To download this ebook, fill out the form below!

Expert Tips and Explanations to Help You Gain PCI DSS Compliance


eBook Download

The PCI Council develops and maintains several standards that cover the ecosystem of payment devices, applications, infrastructure and users.

  • PCI DSS: (My bible) covers systems that store, process, or transmit cardholder data and is used by acquirers, issuers, merchants, and service providers.
  • PCI PTS: covers point-of-interaction devices (or POIs) used for PIN entry.
  • PCI PA-DSS: covers payment applications and is used by application developers.

All these standards work together to protect payment transactions and cardholder data.

Payment processing terminology and workflows

One cannot move through the PCI ecosystem without a basic understanding of payment processing terminology and the payment processing workflow. So let’s have a look behind the scenes.

Payment processing terminology

In a nutshell, the payment transaction could be depicted as follows:

We have cardholders that make payment card purchases from merchants, merchants that send payment transaction data to their acquirers, and acquirers that send payment transaction data through the payment brand network to the issuer.

  • The cardholder is the person that actually has the payment card and uses it to purchase goods or services.
  • The merchants are the organizations accepting payment.
  • The acquirer is the bank with whom the merchant has a contractual relationship.
  • The issuer is the organization that issued the card to the cardholder.
  • The payment brands are the brand of a particular credit card organization, like Visa, MasterCard, American Express, Discover, JCB.

**Visa and MasterCard will never issue cards. Their cards are always issued through a bank(issuer) or some other organization. American Express, Discover, and JCB International willissue cards directly. They will also acquire those transactions.

Payment processing workflow

It encompasses the following operations:

  1. Authorization
  2. Clearing
  3. Settlement

Authorization: At the time of purchase, the merchant requests and receives authorization from the issuer to allow the purchase to be conducted, and an authorization code is provided.

The process includes:

  1. The cardholder swipes or dips the card at the merchant location.
  2. The merchant’s bank (or acquirer) asks the processor to determine the cardholder’s bank (or issuer).
  3. The processing network determines the cardholder’s bank and requests approval for purchase.
  4. The cardholder’s bank approves the purchase.
  5. The processor sends approval to merchant’s bank.
  6. The merchant’s bank sends approval to the merchant.
  7. The cardholder completes the purchase and receives a receipt.

Clearing: In the Clearing process, the acquirer and issuer need to exchange purchase information to complete the transaction.

The process includes:

  1. The merchant’s bank sends purchase information to the processor network
  2. The processor sends purchase information to the cardholder’s bank, which prepares data for the cardholder’s statement
  3. The processor provides complete reconciliation to the merchant’s bank

Settlement: The merchant’s bank pays the merchant for the cardholder purchase and the cardholder’s bank bills the cardholder.

The process includes:

  1. The cardholder’s bank sends payment to the processor.
  2. The processor’s settlement bank sends payment to the merchant’s bank.
  3. The merchant’s bank pays the merchant for cardholder’s purchase.
  4. The cardholder’s bank bills the cardholder.

Distributing the roles for a PCI Play

In this chapter, we’ll assign the roles for our PCI Play.

Here’s the cast list.

Regulators: Scriptwriters and Directors

They are writing the scenarios and directing the play.

The PCI council whose main responsibilities are to:

  • Maintain the standards and supporting documentation
  • Qualify assessors and perform quality assurance checks of their work
  • Maintain a list of validated payment applications and approved PIN transaction security devices
  • Educate the community
  • Promote PCI on a global basis

Payment Brands are responsible for:

  • Development and enforcement of their own compliance program
  • Fines and penalties for non-compliance
  • Forensic investigations in case of breaches

Targeted Entities: Lead Actors

They take the lead role by following the director’s instructions.

Merchants: Business entities directly involved in the processing, storage, transmission, or switching of transaction data or cardholder data

Service Providers: Same as above but on behalf of merchants.

They must ensure and maintain compliance on an ongoing basis as well as report compliance.

Assessors: Supporting Roles

In this category, the nominees are:

Qualified Security Assessors (QSA): They are qualified by the Council to assess compliance to the PCI DSS standard of merchants and service providers. They go on-site.

List of QSA: https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.php

Approved Scanning Vendors (ASV): They are approved by the Council to perform external vulnerability scans for the targeted entities. To date, there are about 150 approved companies, including Rapid7.

List of ASVs: https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php

Become an Approved Scanning Vendor (ASV) in 3 Steps: https://community.rapid7.com/community/infosec/blog/2012/02/27/what-you-need-to- do-to-become-an-pci-approved-scanning-vendor-asv

Payment Application Qualified Security Assessors (PA-QSA): They have been qualified by the PCI Council to have their employees assess compliance to the PCI PA-DSS standard. To date, there are 62 qualified companies.

List of PA-QSA: https://www.pcisecuritystandards.org/approved_companies_providers/payment_application_qsas.php

Internal Security Auditors (ISA): Individual security auditor staff of targeted entities qualified by the PCI Council to perform the role of assessor for their organization. Companies using ISA do not need to be assessed by QSA.

PCI Forensic Investigators (PFI): Organizations approved by the Council to investigate the breach cases and verify the level of responsibility of the compromised entity. (See Chapter 18.)

https://www.pcisecuritystandards.org/approved_companies_providers/pfi_companies.php

Other Available Sections in the Full Download

  • Merchant Levels: What, Who, and How

  • What's Your Type?

  • The Validation Toolbox

  • Certification Programs, Striving for Quality

  • DSS in a Nutshell

  • Defining the Scope of the PCI Assessment

  • The Prioritized Approach

  • Tokenization

  • Mind the Gap

  • Compensating Controls: Magic Trick or Mirage?

  • The World isn't Perfect

  • Nice Look!

  • Is Your Organization Behaving like a Fashion Victim or Clown?

  • Why are my Scan Reports so Thick? - Impact of "Potential" Vulnerabilities

  • What to do if Compromised?

  • Your PCI Logbook -  What is Required in Terms of Log Management?






To download your full copy of this whitepaper, fill in the form at the top of the page.