Who has to comply with PCI-DSS? What are the obligations?
Let's start at the beginning.
Although it is a standard that must be complied with in the payment method industry, PCI-DSS has two main problems from my point of view: Firstly, that the knowledge of the standard is generally very poor and secondly, which is thought to be very difficult to meet. The objective of this blog is to solve these problems while complementing it with additional information regarding Guides and news that appear related to PCI. In general, the line to follow in this blog is to detail a PCI compliance roadmap- DSS so that we are able to address it in the most agile way possible. The ultimate goal of this blog is to be a guide to be able to comply with PCI-DSS in a month. Yes, in a month. Let's adopt Obama's 'yes, we can' and step by step you will see that it is possible.How am I going to do it?The standard is made up of 12 requirements, and although I will create a blog post for each of them, in this post I am not even going to name them since it is easy to obtain them anywhere or, of course, on the official website: https://www.pcisecuritystandards.org/Nor am I going to follow the order of the requirements, no. I am going to focus on the steps that organizations must take to meet the requirements, that is, I am going to generate a PCI compliance 'roadmap' with the objective, as I have said, of complying with PCI in a month. Assuming that the organization to comply with PCI-DSS is either a bank, a service provider or it is a large retailer, the first step to take is the creation of a Multidisciplinary Group, in which there are Security personnel, Systems , Production/Operations, Development and of course, that it is supported by the organization's management because everything starts there. As an addition, I would include a consultant with experience in the subject. The group is already formed, and now that?The idea of creating this group is that everyone deals with the area for which they are directly responsible, but at the same time, there are communication channels since there are tasks that require the involvement of heterogeneous groups. In this first meeting, the most important tasks or those that take the most time should be assigned to each person in charge. Finally, the group must meet (please, meetings of only 1 hour maximum) weekly at the latest. If our objective is to comply with PCI-DSS in 1 month, the periodicity could become daily.What are the first tasks to tackle? Who should do them?1. Creation/Publication of a Security PolicyAlthough it is the last requirement of PCI-DSS, for me it is of paramount importance. An information security policy must be defined (and of course documented) that is APPROVED by management so that it is mandatory for the entire organization. We will detail how to carry it out in future posts.2. Test/Monitor networks and applications that are accessible from the Internet.For this work, it is NOT necessary initially that it be a company that has the ASV (Approved Scanning Vendors) certification. The idea here is to have a first idea of where we are, what we are facing and start solving problems.3. Inventory of equipment, systems and network diagrams
In this personal systems task, you must detail the network infrastructure, inventory the equipment (if it has not already been done) and network devices (firewalls, routers, etc.) and above all, determine network segments in which card details can be found. This will obviously be obtained in conjunction with the next task.4. Inventory of applications or systems that make use of card data.Development, operations and possibly systems personnel must determine the applications or systems through which card data is transmitted, processed or stored and also indicate where said applications are executed. If it is a virtualized environment, we should not worry at first, I will create a specific entry for these cases.5. Inventory of data stores containing card data
Development, operations, and eventually systems staff will need to determine where card data is stored and how it is stored (clear or protected in some way).6. Evaluate corporate antivirus solution, malware, etc.
This is PCI-DSS requirement 5. The key issue is no longer having an antivirus solution, since every halfway decent organization has one, but that the antivirus also has malware protection, that it alerts administrators when a virus is located and that audit logs of all these are recorded. actions, if possible, that said log can be accessible through a centralized console. As a first approximation, these tasks are the most appropriate.
In future posts we will see the following tasks to be addressed and where possible, I will recommend tools to use to help in the process. As for the tasks already exposed, the recommended tools are:
• Text edition: Word(commercial) / Open Office Writer(free)
• Lists/Spreadsheets: Excel (commercial) / Open Office Calc(free)
• Diagrams: Visio (commercial)
• Antivirus: Panda (commercial)
As a summary, we see that at first, the work is more about research and documentation than installing tools and creating procedures. This is a recurring question that I face, so I have decided to make a brief summary of the state of the art along with my own opinions/reflections. According to the PCI-DSS regulations, and I quote: “PCI DSS applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data”. This means that merchants, processors, acquiring and issuing entities and service providers and in general any entity that stores, processes or transmits card data must comply with PCI-DSS.Obligations of businessesWell, what does it mean to comply with PCI-DSS? In general, the card brands (VISA, MASTER, JCB, AMEX, DISCOVER) define levels of compliance for merchants, which are:• VISA• MASTER• JCB• AMEX• DISCOVERFor each level of merchant compliance, a series of obligations are established. In general, 4 levels are defined for the case of merchants, mainly based on the number of transactions/year:Tier-1 Trades:It involves the performance of an annual audit by a QSA who would fill out a ROC (Report Of Compliance) that would be sent to each of the brands. In this audit, an exhaustive study of the merchant's compliance status is carried out, as well as various security controls (Quarterly network scans by an ASV, etc). Level-1 merchants are understood to be those that process the following number of transactions /year:
- More than 6 million VISA, MASTER or DISCOVER transactions.
- More than 2.5 million AMEX transactions
- More than 1 million JCB transactions
Additionally, Level-1 businesses are also considered to be those that have suffered an attack in which card data has been compromised or any that a brand considers should be Level-1.Level-2 Trades:Level-2 businesses are understood to be those that process the following number of transactions/year:
- Between 1 and 6 million VISA, MASTER or DISCOVER transactions.
- Between 50K and 2.5 million AMEX transactions
- Less than 1 million JCB transactions
At this level, merchants are not required to conduct an annual PCI-DSS audit; instead, they must fill out a self-assessment form known as a SAQ (Self-Assessment Questionnarie). However, things are not that easy; In the case of MASTER, by June 2012 it will be mandatory that if they want to submit an SAQ, it must be filled out by a person who has the PCI SSC ISA (Internal Security Auditor) certificate and for this, they must attend the courses organized by the Council. Otherwise, an annual Audit must be carried out by a QSA. This can get even more complicated if it turns out that a business that is not Level-2 in MASTER due to the number of transactions, but is for VISA, is also automatically considered Level-2 in MASTER. In the end… a wonder.Level-3 Trades:This level is specifically designed for e-commerce transactions and, furthermore, not all brands consider it. Level-3 businesses are understood to be those that process the following number of transactions/year:
- Between 20K and 1 million VISA, MASTER, or DISCOVER eCommerce transactions.
- Less than 50K AMEX transactions
The question remains as to how those businesses that carry out less than 1 million e-commerce transactions but also carry out transactions through other channels and that the sum exceeds one million transactions are classified. Would it be Level-2 or Level-3? The trade would tell you without hesitation that Level-3.Level-4 Trades:This is the least restrictive level of all. The only obligation in these cases is to fill out the SAQ and it is recommended to carry out a quarterly network scan, although it is left to the consideration of the acquiring entity whether or not to oblige the merchants to carry it out. Obviously, this implies that no entity does.Other issues to consider for merchantsHow is the number of transactions determined? In general, it is the acquiring entities that work with the merchant who must 'inform' the brands of the level of the particular merchant. But of course, if the businesses work with several acquiring entities, cataloging is a bit complicated. On the other hand, there remains the question of how to consider certain businesses that act as a brand but act in an isolated manner for accounting purposes. This is the case of businesses operating in franchise format, although this seems to be being considered by VISA when introducing a new SP category, the so-called 'Corporate Franchise Servicer' (CFS).In summary, it is convenient for businesses not to be considered Level-1 since carrying out an Audit is costly in terms of time and money. VISA USA has published a PCI-DSS compliance statistics in which it indicates that there are only 377 Level-1 businesses.Service Providers (SP)What is meant by SP? SPs are organizations that provide services to merchants, financial entities and/or other entities related to the processing of transactions. SPs include Processors, Third-Party processors, and Gateway providers, among others. In general, any entity that performs or provides services related to the means of payment to third parties. In this section you will also find Financial Entities that perform certain services: for example Clearing & Settlement, Backup Authorizations, etc. to other financial entities. A priori, the case of Service Providers (SP) is a priori simpler. There are only two levels, although I would dare to say that there is only one, Level-1.SP Level-1:Level-1 SPs are understood to be those that process the following number of transactions/year:
- More than 300K transactions VISA, MASTER.
- Any number of DISCOVER, AMEX or JCB transactions
It involves the performance of an annual audit by a QSA generating the ROC (Report Of Compliance) that is sent to each of the brands with which it operates and the performance of quarterly network scans by an ASV.SP Level-2:Level-2 SPs are understood to be those that process the following number of transactions/year:
- Less than 300K transactions VISA, MASTER.
At this level it is only necessary to fill out the ROC and perform quarterly network scans by an ASV.Acquiring and Issuing EntitiesWhat are the obligations of the Entities? Do they need to be PCI-DSS compliant?All these questions are common and the truth is that brands do not give definitive answers. I am going to try to shed some light. First of all, all Entities (Acquirers or Issuers) are required to comply with PCI-DSS. Of course, the brands do not force entities to pass annual audits. The only brand that makes such a consideration is DISCOVER, which qualifies Acquiring Entities as 'Service Providers' (SP). There is also a mention by US VISA which indicates that all VISA member Issuers that are directly connected to VISANET or that process on behalf of another VISA member must annually validate their compliance with PCI-DSS, which implies an Audit. For the rest of the cases, it leaves it as a 'best practice'. Of course, it is an informative bulletin of VISA USA and not of VISA Europe. There is also a very interesting mention that a financial institution that uses its ATMs for the acquisition of goods or services beyond the typical operations of an ATM, for example to buy concert tickets, etc., could be considered a merchant for PCI-DSS purposes. Acquiring entities, on the other hand, are responsible for placing their merchants in the respective PCI-DSS compliance levels that they appropriate and to inform the brands of the level of each store. If it were incurred in either not informing the brands or doing it incorrectly, the Entities would be fined by the brands.