Who has to comply with PCI-DSS? What are the obligations?

Who has to comply with PCI-DSS? What are the obligations?

Let’s start at the beginning

Although it is a mandatory standard in the payment media industry, PCI-DSS has two main problems from my point of view: Firstly, the knowledge of the standard is generally very poor and secondly That is thought to be very difficult to accomplish. The purpose of this blog is to solve these problems while complementing with additional information regarding Guides and news that appear related to PCI.


In general, the line to follow in this blog is to detail a PCI-DSS compliance roadmap so that we are able to address it as quickly as possible. The ultimate goal of this blog is to be a guide to be able to comply with PCI-DSS in a month. Yes, in a month. Let’s adopt the ‘yes, we can’ of Obama and step by step you will see that it is possible.
How am I going to do it?
The standard is made up of 12 requirements, and although I will create a blog entry for each one of them, in this post I will not even name them since it is easy to obtain them on any site or how not, on the official website: https://www.pcisecuritystandards.org/


Nor will I follow the order of the requirements, no. I will focus on the steps that must be taken in organizations to meet the requirements, that is, I will generate a “roadmap” of PCI compliance with the objective as I said, of complying with PCI in a month. Assuming that the organization to comply with PCI-DSS is either a banking entity, a service provider or large retailers, the first step is the creation of a Multidisciplinary Group, which includes Security, Systems personnel , Production / Operations, Development and of course, that is supported by the management of the organization because everything starts there. As an addition it would include a consultant with experience in the subject.


The group is already formed, and now what?
The idea of ​​creating this group is that each one takes care of the plot for which he is directly responsible, but that at the same time, there are communication channels since there are tasks that need the involvement of heterogeneous groups. In this first meeting you should assign the most important tasks or take more time to each person in charge. Finally, the group must meet (please, meetings of only 1 hour maximum) weekly at the latest. If our goal is to comply with PCI-DSS in 1 month, the periodicity could become daily


What are the first tasks to address? Who should do them?
1. Creation / Publication of a Security Policy
Although this is the latest PCI-DSS requirement, it is of paramount importance to me. You must define (and of course, document) an information security policy that is APPROVED by management so that it is mandatory for the entire organization. We will detail how to carry it out in future entries.
2. Test / Monitor networks and applications that are accessible from the Internet.
For this work, it is NOT necessary in the beginning that it is a company that has the certification of ASV (Approved Scanning Vendors). The idea here is to have a first idea of ​​where we are, what we face and start solving problems.
3. Inventory of equipment, systems and network diagrams
In this personal systems task you must detail the network infrastructure, inventory the equipment (if it has not already been done) and the network devices (firewalls, routers, etc.) and above all, determine network segments in which card data can be found. This will obviously be obtained in conjunction with the following task.
4. Inventory of applications or systems that make use of card data.
Development personnel, operations and possibly systems should determine the applications or systems through which card data is transmitted, worked or stored and also indicate where those applications are executed. If it is a virtualized environment it should not worry us at first, I will already create a specific entry for these cases.
5. Inventory of data stores containing card data
Development personnel, operations and eventually systems should determine where card data is stored and how they are stored (in clear or protected in some way).
6. Evaluate corporate solution of antivirus, malware, etc.
This is requirement 5 of PCI-DSS. The key issue is no longer to have an antivirus solution, since every moderately decent organization has it, but the antivirus also has malware protection, which alerts administrators when a virus is located and that audit logs of all these are registered actions, if possible, that said log can be accessed through a centralized console. In a first approach, these tasks are the most appropriate.


In the next entries we will see the following tasks to be addressed and where possible, I will recommend tools to use to help in the process.With regard to the tasks already exposed, the recommended tools are:

• Text editing: Word (commercial) / Open Office Writer (free)
• Lists / Spreadsheets: Excel (commercial) / Open Office Calc (free)
• Diagrams: Visio (commercial)
• Antivirus: Panda (commercial)


As a summary, we see that at first, the work is more research and documentation than installing tools and creating procedures.


This is a recurring question that I face so I have decided to make a small summary of the state of the art along with my own opinions / reflections.


According to PCI-DSS regulations, and I quote: “PCI DSS applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data ”. This means that merchants, processors, acquiring and issuing entities and service providers and in general any entity that stores, processes or transmits card data must comply with PCI-DSS.


Obligations of businesses
Well, what does it mean to comply with PCI-DSS? In general, card brands (VISA, MASTER, JCB, AMEX, DISCOVER) define compliance levels for merchants, which are:


For each level of business compliance, a series of obligations are established. In general, 4 levels are defined in the case of shops, mainly based on the number of transactions / year:


Merchants Level-1:
It involves conducting an annual audit by a QSA that would fill out a ROC (Report Of Compliance) that would be sent to each of the brands. In this audit an exhaustive study of the compliance status of the trade is carried out, as well as various security controls (quarterly network scans by an ASV, etc.).
It is understood as Level-1 trade to those who process the following number of transactions / year:
  • More than 6 million VISA, MASTER or DISCOVER transactions.
  • More than 2.5 million AMEX transactions
  • More than 1 million JCB transactions
Additionally, Level-1 merchants are also considered to be those that have suffered an attack in which card data have been compromised or whatever a brand considers should be Level-1.


Merchants Level-2:
It is understood as Level-2 trade to those who process the following number of transactions / year:
  • Between 1 and 6 million VISA, MASTER or DISCOVER transactions.
  • Between 50K and 2.5 million AMEX transactions
  • Less than 1 million JCB transactions
At this level, businesses are not required to conduct an annual PCI-DSS audit; instead, they must complete a self-assessment form known as SAQ (Self-Assessment Questionnarie). However, things are not so easy; In the case of MASTER, by June 2012 it will be mandatory that if they want to submit an SAQ, it will be filled out by a person who has the PCI SSC ISA (Internal Security Auditor) certificate and for this, they must attend the courses organized by The Council Otherwise, an annual Audit must be carried out by a QSA. This can be further complicated if it turns out that a trade that by number of transactions is not Level-2 in MASTER, but it is for VISA, is automatically considered as Level-2 of MASTER. Anyway … wonderful.


Merchants Level-3:
This level is specifically designed for e-commerce transactions and in addition, not all brands consider it. It is understood as Level-3 trade to those who process the following number of transactions / year:
  • Between 20K and 1 million e-commerce transactions of VISA, MASTER or DISCOVER.
  • Less than 50K AMEX transactions
There remains the question of knowing how those businesses that perform less than 1 million e-commerce transactions are classified but also carry out transactions through other channels and that the sum exceeds one million transactions. Would it be Level-2 or Level-3? The trade would tell you without hesitation that Level-3.


Merchants Level-4:

It is the least restrictive level of all. The only obligation in these cases is to fill in the SAQ and it is recommended to perform a quarterly network scan, although it is left to the consideration of the acquiring entity to force or not the businesses to carry it out. Obviously, this implies that no entity does.


Other issues to consider for businesses
How is the number of transactions determined? In general, it is the acquiring entities that work with trade who must ‘inform’ of trade-level brands specifically. But of course, if businesses work with several acquirers, cataloging is a bit complicated.
On the other hand, there is the question of how to consider certain businesses that act as a brand but that act in isolation. This is the case of businesses operating in franchise format, although this seems to be considered by VISA when introducing a new category of SP, the so-called
‘Corporate Franchise Servicer’ (CFS).
In short, businesses should not be considered Level-1 since conducting an audit is costly in time and economically speaking. VISA USA has published a PCI-DSS compliance statistic indicating that there are only 377 Tier-1 stores.
Service Providers (SP)
What is meant by SP? SPs are organizations that provide services to businesses, financial entities and / or other entities related to the processing of transactions. SPs include Processors, Third-Party processors and Gateway providers, among others. In general, any entity that performs or provides services related to payment methods to third parties. This section also contains Financial Entities that perform certain services: for example Clearing & Settlement, Backup Authorizations, etc. to other financial entities


A priori, the case of Service Providers (SP) is a priori simpler. There are only two levels, although I would dare to say that there is only one, Level-1.


SP Level-1:
Level-1 SPs are understood as those that process the following number of transactions / year:
  • More than 300K VISA, MASTER transactions.
    Any number of DISCOVER, AMEX or JCB transactions
It implies the realization of an annual audit by a QSA generating the ROC (Report Of Compliance) that is sent to each of the brands with which it operates and to the accomplishment of quarterly network scans by an ASV.


SP Level-2:
Level-2 SPs are understood as those that process the following number of transactions / year:
  • Less than 300K transactions VISA, MASTER.
At this level it is only necessary to fill in the ROC and perform quarterly network scans by an ASV.


Acquirers and IssuersEntities


What are the obligations of the Entities? Should they comply with PCI-DSS?
All these questions are common and the truth is that brands do not give definitive answers. I’m going to try to shed some light.


First, all Entities (Acquirers or Issuers) are required to comply with PCI-DSS. Of course, brands do not require entities to pass annual audits. The only brand that makes such consideration is DISCOVER, which qualifies the Acquiring Entities as ‘Service Providers’ (SP).


There is also a mention by VISA USA that states that all VISA Member Issuers that are directly connected to VISANET or that process on behalf of another VISA member must annually validate their compliance with PCI-DSS. which implies an audit. For all other cases, leave it as a “best practice.” Of course, it is a newsletter from VISA USA and not from VISA Europe.


There is also a very interesting mention that a financial institution that uses its ATMs for the acquisition of goods or services beyond the typical operations of an ATM, for example to buy concert tickets, etc., could be considered a trade to PCI-DSS effects.
Acquiring entities, on the other hand, are responsible for placing their businesses in their respective PCI-DSS compliance levels and informing brands of the level of each trade. If it were incurred in either not informing the brands or doing so incorrectly, the Entities would be fined by the brands.

Leave a Reply

Your email address will not be published. Required fields are marked *