Payment Card Industry Certification (PCI DSS): Industry Self-regulatory Efforts

This lesson focuses on the Payment Card Industry Data Security Standard (PCI DSS), which is a set of standards designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. It explains the origins, key control objectives, and technical requirements of the PCI DSS, as well as the complexities surrounding compliance and enforcement.

1. Origins of PCI DSS:

• The Payment Card Industry Security Standards Council (PCISSC) was formed in 2004 by major credit card companies such as American Express, MasterCard, Visa, Discover Financial Services, and JCB International.

• The PCI DSS was first issued in 2006 and is maintained by the council to promote security standards across the payment card industry.

• PCI DSS applies to all organizations that store, process, or transmit cardholder data or sensitive authentication data. This includes merchants, processors, acquirers, issuers, and service providers.

2. High-Profile Cases of Credit Card Fraud:

• The lesson highlights the notorious case of Roman Seleznev, a Russian hacker who stole millions of credit card numbers by installing malware on the networks of small retailers. He sold the stolen card numbers online for $20 to $30 each.

• Another well-known case is the 2015 breach of Target, where attackers exfiltrated 40 million credit card numbers. These incidents, along with many others, led to the creation of the PCI DSS.

3. PCI DSS Control Objectives:

• PCI DSS establishes six main control objectives, which organizations must follow to secure cardholder data:

1. Build and Maintain a Secure Network: Requires firewalls, updated system passwords, and other network-layer security controls.

2. Protect Cardholder Data: Specifies how data should be stored and encrypted, including rules for encryption of cardholder data at rest and in transit.

3. Maintain a Vulnerability Management Program: Ensures that organizations maintain secure systems and applications, including the use of antivirus software and timely patching of vulnerabilities.

4. Implement Strong Access Control Measures: Requires organizations to limit access to cardholder data to only those with a legitimate need to know, and to ensure that users have unique identities when accessing data.

5. Regularly Monitor and Test Networks: Involves conducting regular penetration tests, monitoring access to cardholder data, and ensuring systems are constantly supervised.

6. Maintain an Information Security Policy: Requires organizations to maintain security policies that reflect the most up-to-date PCI DSS requirements.

4. Challenges with PCI DSS Compliance:

• Two of the most challenging aspects of PCI DSS are segmentation and encryption:

• Segmentation: PCI DSS requires organizations to isolate credit card-related networks from other parts of the organization. If segmentation is not possible, all systems and hosts must comply with PCI DSS, which can be expensive and complex.

• Encryption: Organizations must encrypt data at rest (stored data) as well as data in transit. This involves implementing cryptography at both the database and physical storage level, regularly updating encryption keys, and securely storing these keys away from the data.

5. Specific Controls for Cardholder Data:

• PCI DSS includes specific rules for handling Personal Account Numbers (PANs) and verification codes:

• Storing verification codes (the three- or four-digit number on the back of cards) is prohibited after a transaction is authorized.

• Organizations must mask PANs when displayed and render them unreadable when stored. PCI DSS provides four methods for achieving this, including encryption and truncation.

6. Compliance Validation and Enforcement:

• Compliance is monitored by the payment brands, not the PCI council itself. Large merchants are required to hire a Qualified Security Assessor (QSA) to validate their compliance, while smaller merchants complete a self-assessment questionnaire (SAQ) annually.

• For smaller organizations, compliance can be costly and time-consuming. For example, at Georgia Tech, a smaller merchant, the self-assessment process took four months and involved two employees full-time.

• Though compliance is technically voluntary, payment card companies can impose fines or exclude merchants from their networks for non-compliance, making adherence to the standard essential for organizations handling card transactions.

7. Industry Self-Government:

• PCI DSS is an example of industry self-regulation, where a few dominant credit card companies created standards for cybersecurity. While compliance is voluntary, the financial liability and risk of being excluded from credit card networks incentivize businesses to adhere to the standards.

• The credit card companies bear most of the financial liability in the case of fraud, which has encouraged them to impose these standards and monitor compliance.

Conclusion:

This lesson explores the PCI DSS standards, emphasizing their importance in securing cardholder data in the digital age. The lesson also highlights the complexities and costs of compliance, as well as the role of the credit card industry in setting and enforcing cybersecurity standards. Through self-regulation, the industry has established a global framework to ensure that businesses that handle credit card transactions protect sensitive information.