PCI DSS. A Pocket Guide EXTRACT. Fourth edition ALAN CALDER GERAINT WILLIAMS

Transcription

1

2 PCI DSS A Pocket Guide Fourth edition ALAN CALDER GERAINT WILLIAMS

3 Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publishers and the authors cannot accept responsibility for any errors or omissions, however caused. Any opinions expressed in this book are those of the authors, not the publisher. Websites identified are for reference only, not endorsement, and any website visits are at the reader s own risk. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the authors. Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form, or by any means, with the prior permission in writing of the publisher or, in the case of reprographic reproduction, in accordance with the terms of licences issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publishers at the following address: IT Governance Publishing IT Governance Limited Unit 3, Clive Court Bartholomew s Walk Cambridgeshire Business Park Ely Cambridgeshire CB7 4EA United Kingdom

4 Alan Calder and Nicki Carter 2008, 2010, Alan Calder and Geraint Williams 2013, 2015 The authors have asserted the rights of the authors under the Copyright, Designs and Patents Act, 1988, to be identified as the authors of this work. First published in the United Kingdom in 2008 by IT Governance Publishing: ISBN Second edition published in 2011: ISBN Third edition published in 2013: ISBN Fourth edition published in 2015 ISBN:

5 FOREWORD Target dates for compliance with the PCI DSS have all long since passed, and the Standard is now on its third version. Many organisations around the world particularly those that fall below the top tier of payment card transaction volumes are not yet compliant. There are perhaps three reasons for this. The first is that, outside a few US States, the PCI DSS has no legal status: it is not a law and does not have the force of law. Enforcement can only be carried out by contractual means, in a competitive payment card marketplace. The UK s Information Commissioner, however, has said that compliance with the PCI DSS shows due diligence in protecting cardholder data, and has effectively imposed it as law through the threat of fines for failure to comply. 1 The second is that enforcement is driven by the card payment brands, through the banks that have the commercial relationships with the merchants that are supposed to comply. While enforcement has become more rigorous over the last three years, it is still inconsistent. The third is that the PCI DSS is extremely prescriptive, and takes a determined one-size-fits-all approach to information security requirements. Compliance is therefore seen as both expensive and bureaucratic. 1

6 Foreword It is not surprising, therefore, that merchants have tried to avoid compliance with this Standard. This is a short-sighted and high-risk stance to adopt rather like assuming that your business has no exposure to acts of nature or IT failure and does not, therefore, require a business or IT service continuity plan. All businesses that accept payment cards are prey for hackers and criminal gangs that seek to steal payment card and individual identity details. Many attacks are highly automated, seeking out website and payment card system vulnerabilities remotely, using increasingly sophisticated tools and techniques. When a vulnerability is discovered, an attack can start without the management or staff of the target company having any awareness of what is going on. When the attack is exposed most breaches go undetected for months, and are often found by third parties, such as payment brands conducting fraud checks the target company will be exposed to a harsh and expensive set of repercussions. These will range from customer desertion and brand damage to significant penalties and operating requirements imposed by their acquiring bank, which will include a future level of monitoring at a level normally applicable to only the very largest of merchants. Penalties can also include expensive forensic investigation by accredited PCI Forensic Investigators (PFI); they could also be made designated entities by the payment brands or the acquirers, requiring an

7 Foreword additional level of validation to prove compliance in the future. The PCI DSS is designed to ensure that merchants are protecting cardholder data effectively. It recognises that not all merchants have the technical understanding to identify the necessary steps and short circuits to avoid danger. All merchants and their service providers should therefore ensure that they comply with the PCI DSS, and that they stay compliant. If the solution cannot be found internally or through the service provider, then training and consultancy is the solution. Apart from anything else, if every merchant cooperates in the fight against the theft of cardholder data, we might make it easier in the long run for all our payment card customers.

8 ABOUT THE AUTHORS Alan Calder is a leading author on IT governance and information security issues. He is the chief executive of IT Governance Ltd, the one-stop shop for books, tools, training and consultancy on governance, risk management and compliance. Alan is an international authority on information security management and on ISO (formerly BS 7799), the international security Standard, about which he wrote, with colleague Steve Watkins, the definitive compliance guide, IT Governance - An International Guide to Data Security and ISO27001/ISO This work is based on his experience of leading the world s first successful implementation of BS 7799 and is the basis for the UK Open University s postgraduate course on information security. The sixth edition was published in Other books written by Alan include The Case for ISO27001:2013 and Nine Steps to Success: An ISO27001:2013 Implementation Overview, as well as several pocket guides. Alan is a frequent media commentator on information security and IT governance issues, and has contributed articles and expert comment to a wide range of trade, national and online news outlets. Geraint Williams is a knowledgeable and experienced senior information security consultant and PCI QSA, with a strong technical background

9 About the Authors and experience of the PCI DSS and security testing. Geraint has provided consultancy on implementing the PCI DSS and has conducted audits with a wide range of merchants and service providers as well as performing penetration testing and vulnerability assessments for various clients. Geraint leads the IT Governance CISSP Accelerated Training Programme along with the PCI Foundation and Implementer training courses. He has broad technical knowledge of security and IT infrastructure, including high-performance computing and Cloud computing. His certifications include CISSP, PCI QSA, CREST Registered Tester, CEH & CHFI.

10 ACKNOWLEDGEMENTS The PCI DSS, copies of which are freely available (although subject to licence) from the PCI Security Standards Council (PCI SSC), is, of course, the PCI SSC s copyright. This pocket guide is not a substitute for acquiring and reading the Standard itself. Every reader of this pocket guide should obtain a copy of the PCI DSS from: documents.php This pocket guide contains many references to, and summaries of, material that is freely and more comprehensively available on the PCI SSC website and elsewhere. It is intended to be a handy, comprehensive reference tool that contains in one place all the information that anyone dealing with the PCI DSS and related issues might need. It is also a pocket guide, not a comprehensive manual 1 on implementing PCI DSS. IT Governance offers dedicated PCI DSS courses at both foundation and implementation levels, allowing businesses to quickly get to grips with PCI SSC requirements. 2 1 If you are looking for a comprehensive PCI DSS implementation manual, one is available at 2

11 CONTENTS Chapter 1: What is the Payment Card Industry Data Security Standard (PCI DSS)? Chapter 2: What is the Scope of the PCI DSS? Chapter 3: Compliance and Compliance Programmes Chapter 4: Consequences of a Breach Chapter 5: How do you Comply with the Requirements of the Standard? Chapter 6: Maintaining Compliance Chapter 7: PCI DSS The Standard Chapter 8: Aspects of PCI DSS Compliance.. 38 Chapter 9: The PCI Self-Assessment Questionnaire (SAQ) Chapter 10: Procedures and Qualifications Chapter 11: The PCI DSS and ISO/IEC Chapter 12: The Payment Application Data Security Standard (PA-DSS) Chapter 13: PIN transaction Security (PTS).. 58 IT Governance Resources... 60

12 CHAPTER 1: WHAT IS THE PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)? The Payment Card Industry Data Security Standard (PCI DSS) was developed by the five founding payment brands of the PCI Security Standards Council (PCI SSC, at American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa. The PCI DSS consists of a standardised, industrywide set of requirements and processes for security management, policies, procedures, network architecture, software design and critical protective measures. The PCI DSS must be met by all organisations (merchants and service providers) that transmit, process or store payment card data, or directly or indirectly affect the security of cardholder data. If an organisation uses a third party to manage cardholder data, the organisation has a responsibility to ensure that this third party is compliant with the PCI DSS. The PCI DSS (sometimes referred to as a compliance standard) is not a law. It is a contractual obligation applied and enforced by means of fines or other restrictions directly by the payment providers themselves. The currently applicable version of the PCI DSS, since April 2015, is version 3.1; subject to licence,

13 1: What is the Payment Card Industry Data Security Standard (PCI DSS)? it can be freely downloaded 1. It is published and controlled by the independent PCI SSC on behalf of its five founding members. In June 2015, the PCI SSC introduced the concept of designated entities high-risk entities that can be prescribed a set of supplemental validation requirements to demonstrate ongoing security efforts to protect payments. The SSC also defines qualifications for Qualified Security Assessors (QSAs), Internal Security Assessors (ISA), PCI Forensic Investigators (PFI), PCI Professionals (PCIP), Qualified Integrators and Resellers (QIR), and Approved Scanning Vendors (ASVs). It trains, tests, certifies and runs quality assurance programmes for these certifications. The PCI DSS is a set of 12 requirements that are imposed on merchants and other related parties. These 12 requirements are described later in this pocket guide. 1 ments.php.

14 1: What is the Payment Card Industry Data Security Standard (PCI DSS)? Key definitions 2 and acronyms in the PCI DSS: Acquirer Bank, which acquires merchants i.e. the bank with which you have your e-commerce bank account. Payment brand Visa, MasterCard, Amex, Discover, JCB. Merchant Sells products to cardholders. Service provider A business entity, directly or indirectly involved in the processing, storage, transmission and switching of cardholder data. This includes companies that provide services to merchants, service providers or members that control or could impact the security of cardholder data. PAN Primary Account Number (the up-to-19- digit payment card number). Service providers include: TPPs Third Party Processors who process payment card transactions (including payment gateways). DSEs Data Storage Entities who store or transmit payment card data. 2 There is a formal English glossary available at v20.pdf.

15 1: What is the Payment Card Industry Data Security Standard (PCI DSS)? QSA Qualified Security Assessor someone who is trained and certified to carry out PCI DSS compliance assessments. ISA Internal Security Assessor someone who is trained and certified to conduct internal security assessments. ASV Approved Scanning Vendor an organisation that is approved as competent to carry out the security scans required by the PCI DSS. PFI PCI Forensic Investigator an individual trained and certified to investigate and contain information security breaches involving cardholder data. DESV Designated Entities Supplemental Validation those entities designated by payment brands or acquirers as being higher risk and needing to meet supplemental requirements.

16 PCI DSS: A Pocket Guide Explains the fundamental concepts of PCI DSS version 3.1. Perfect as a quick reference for PCI professionals, or as a handy introduction for new staff. Covers the consequences of a data breach and how to comply with the Standard, giving real, practical insights for the reader. Buy your copy today