Payment Card Industry Data Security Standard

Before the PCI DSS was launched, payment card information security was handled by the five major payment card brands: Visa, Mastercard, American Express, Discover, and JCB. They each had different independent security programs: • Visa's Cardholder Information Security Program the major payment card brands felt a growing need to streamline and unify these information security standards. Each program had its own methods and guidance regarding compliance validation, assessments, and requirements. and aligned their policies to create the PCI DSS. PCI DSS has since been implemented and followed by numerous organizations around the world. Independent private organizations can also participate in PCI development as part of the PCI Security Standards Council Participating Organization Program. To join that program, organizations must register as a PCI SSC Participating Organization (PO). Each participating organization joins a SIG (Special Interest Group) and contributes to activities mandated by the group. The PCI DSS is a living document that is regularly updated by the PCI Security Standards Council. The PCI SSC releases major version updates, such as version 4.0, approximately every few years. Minor updates, such as version 4.0.1, are released more frequently and typically add small changes or clarifications. When updates are released, organizations have a transition period during which they must become familiar with the new changes and begin ensuring compliance with the current version. The following versions of the PCI DSS have been made available: ==Requirements and control objectives==

The PCI DSS has twelve requirements for compliance, organized into six related groups known as control objectives: • Build and maintain a secure network and systems • Protect cardholder data • Maintain a vulnerability management program • Implement strong access control measures • Regularly monitor and test networks • Maintain an information security policy Each PCI DSS version has divided these six requirement groups differently, but the twelve requirements have not changed since the inception of the standard. Each requirement and sub-requirement is divided into three sections: • PCI DSS requirements: Define the requirement. The PCI DSS endorsement is made when the requirement is implemented. • Testing: The processes and methodologies carried out by the assessor for the confirmation of proper implementation. • Guidance: Explains the purpose of the requirement and the corresponding content, which can assist in its proper definition. In version 4.0.1 of the PCI DSS, the twelve requirements are: • Install and maintain network security controls. • Apply secure configurations to all system components. • Protect stored account data. • Protect cardholder data with strong cryptography during transmission over open, public networks. • Protect all systems and networks from malicious software. • Develop and maintain secure systems and software. • Restrict access to system components and cardholder data by business need to know. • Identify users and authenticate access to system components. • Restrict physical access to cardholder data. • Log and monitor all access to system components and cardholder data. • Test security of systems and networks regularly. • Support information security with organizational policies and programs. ==Updates and supplemental information==

The PCI SSC (Payment Card Industry Security Standards Council) has released supplemental information to clarify requirements, which includes: • Information Supplement: Requirement 11.3 Penetration Testing • Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified • Navigating the PCI DSS - Understanding the Intent of the Requirements • PCI DSS Wireless Guidelines • PCI DSS Applicability in an EMV Environment • Prioritized Approach for PCI DSS • Prioritized Approach Tool • PCI DSS Quick Reference Guide • PCI DSS Virtualization Guidelines • PCI DSS Tokenization Guidelines • PCI DSS 2.0 Risk Assessment Guidelines • The lifecycle for Changes to the PCI DSS and PA-DSS • Guidance for PCI DSS Scoping and Segmentation • PCI DSS v4.0 Resource Hub • PCI DSS Summary of Changes: v4.0 to v4.0.1 ==Merchant levels==

Merchants that store, process, and transmit cardholder data are subject to PCI DSS standards, and thus, must be deemed PCI-compliant. The PCI DSS framework classifies these entities into merchant levels that determine the type of reporting a business must complete to achieve compliance. An acquirer or payment brand may manually place an organization into a reporting level at its discretion. Not all payment card brands use all four merchant levels, and each level's transaction volume can vary among payment card brands. The four typically accepted merchant levels are: == Service provider levels ==

According to the PCI DSS, third-party service providers that store, process, or transmit cardholder data, or have access to customers’ account data are subject to PCI DSS standards. The two service provider levels are: • Level 1: • All Third-Party Processors (TPPs) • All Staged Digital Wallet Operators (SDWOs) • All Digital Activity Service Providers (DASPs) • All Business Payment Service Providers (BPSPs) • All Token Service Providers (TSPs) • All 3-D Secure Service Providers (3-DSSPs) • All Installment Service Providers (ISPs) • All Merchant Payment Gateways (MPGs) • All AML/Sanctions Service Providers, Data Storage Entities (DSEs) and Payment Facilitators (PFs) with more than 300,000 total combined Mastercard and Maestro transactions annually • Level 2: • All AML/Sanctions Service Providers, DSEs6 and PFs with 300,000 or less total combined Mastercard and Maestro transactions annually • All Terminal Servicers (TSs) ==Compliance==

The payment card brands regularly require both merchants and service providers to demonstrate PCI DSS compliance. Merchants and service providers sign business-to-business contracts with payment processors and payment card brands, which outline such fines and fees. Obtaining PCI DSS compliance and navigating the assessment process can be complicated, which is why many businesses often struggle with this. According to Verizon's 2018 Payment Security Report, 47.5% of organizations were not PCI DSS compliant during interim compliance validation. The number of organizations achieving compliance had been steadily increasing through the early 2010s, but this increase may likely have dropped in recent years. Compliance validation Compliance validation involves the evaluation and confirmation that the security controls and procedures have been implemented according to the PCI DSS. Validation occurs through an annual assessment, either by an external entity, or by self-assessment. The assessment process includes the following steps: Internal Security Assessor An Internal Security Assessor (ISA) is an individual who has earned a certificate from the PCI Security Standards Council for their sponsoring organization, and can conduct PCI self-assessments for their organization. The ISA program was designed to help Level 2 merchants meet Mastercard compliance validation requirements. ISA certification empowers an individual to conduct an appraisal of his or her association and propose security solutions and controls for PCI DSS compliance. ISAs are in charge of cooperation and participation with QSAs. ==Compliance versus validation of compliance==

Although the PCI DSS must be implemented by all entities which process, store or transmit cardholder data and/or sensitive authentication data or could impact the security of such information, formal validation of PCI DSS compliance is not mandatory for all entities. Visa and Mastercard require merchants and service providers to be validated according to the PCI DSS; Visa also offers a Technology Innovation Program (TIP), an alternative program which allows qualified merchants to discontinue the annual PCI DSS validation assessment. Merchants are eligible if they take alternative precautions against fraud, such as the use of EMV or point-to-point encryption. Issuing banks are not required to undergo PCI DSS validation, although they must secure sensitive data in a PCI DSS-compliant manner. Acquiring banks must comply with PCI DSS and have their compliance validated with an audit. In a security breach, any compromised entity which was not PCI DSS-compliant at the time of the breach may be subject to additional penalties (such as fines) from card brands or acquiring banks. == Legal status ==

No governing body/agency requires or enforces PCI DSS compliance, but if any PCI DSS requirements conflict with country, state, or local law, the law will apply. Hence, for many European organizations, a PCI DSS breach often constitutes a GDPR breach as well, which can result in fines from both major payment card brands and the European Union. the laws of some US states refer to PCI DSS directly or make equivalent provisions. In 2007, Minnesota enacted a law prohibiting the retention of some types of payment-card data more than 48 hours after authorization of a transaction. Nevada incorporated the standard into state law two years later, requiring compliance by merchants doing business in that state with the current PCI DSS and shielding compliant entities from liability. The Nevada law also allows merchants to avoid liability by other approved security standards. In 2010, Washington also incorporated the standard into state law. Unlike Nevada's law, entities are not required to be PCI DSS-compliant; however, compliant entities are shielded from liability in the event of a data breach. Legal scholars Edward Morse and Vasant Raval have said that by enshrining PCI DSS compliance in legislation, card networks reallocated the cost of fraud from card issuers to merchants. ==Controversy and criticism==

The major payment card brands impose fines for non-compliance. Some business owners, small business owners especially, criticize the PCI DSS system because the payment card brands impose fines on businesses even if no fraud occurs. Stephen and Theodora "Cissy" McComb, owners of a small restaurant called Cisero's Ristorante and Nightclub in Park City, Utah, were fined for a breach for which two forensics firms could not find evidence. They claim the PCI DSS system exists primarily for major card brands to extract profit from these merchant companies rather than ensure cardholder data security. Michael Jones, who was CIO of Michaels at the time, testified before a US Congressional subcommittee about the PCI DSS: Proponents of the PCI DSS maintain that the PCI DSS may compel businesses to pay more attention to IT security, even if minimum standards are not enough to eradicate security problems. Bruce Schneier spoke in favor of the standard: PCI Council general manager Bob Russo responded to objections by the National Retail Federation: Former Visa chief enterprise risk officer Ellen Richey said in 2018, "No compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach". However, a 2008 breach of Heartland Payment Systems (validated as PCI DSS-compliant) resulted in the compromising of more than one hundred million card numbers. Around that time, Hannaford Brothers and TJX Companies (also validated as PCI DSS-compliant) were similarly breached as a result of the allegedly-coordinated efforts of Albert Gonzalez and two unnamed Russian hackers. News of incidents was widespread and called into question the adequacy of the PCI DSS. Assessments examine the compliance of merchants and service providers with the PCI DSS at a specific point in time, frequently using sampling to allow compliance to be demonstrated with representative systems and processes. It is the responsibility of the merchant and service provider to achieve, demonstrate, and maintain compliance throughout the annual validation-and-assessment cycle across all systems and processes. A breakdown in merchant and service-provider compliance with the written standard may have been responsible for the breaches; Hannaford Brothers received its PCI DSS compliance validation one day after it had been made aware of a two-month-long compromise of its internal systems. Compliance validation is required only for level 1 to 3 merchants and may be optional for Level 4, depending on the card brand and acquirer. According to Visa's compliance validation details for merchants, level-4 merchant compliance-validation requirements ("Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually") are set by the acquirer. Over 80 percent of payment-card compromises between 2005 and 2007 affected level-4 merchants, who handled 32 percent of all such transactions. == See also ==