Verizon 2022 Data Breach Investigations Report, 84% of data breach caseloads entailed payment account data, and 93% of data breaches had financial motives by actors. They all seek the simplest path to steal payment account data used by payment cards and related electronic payment systems. Hence the Companies dealing with the card and related payments are on the front line of a high-stakes battle for keeping payment data safe from theft and exploitation.
Vulnerabilities may appear anywhere in the card-processing ecosystem, including but not limited to:
- point-of-sale devices;
- cloud-based systems;
- mobile devices, personal computers, or servers;
- wireless hotspots;
- web shopping applications;
- paper-based storage systems;
- the transmission of cardholder data to service providers;
- remote access connections.
PCI DSS Applicability
PCI DSS is intended for all entities that store, process, or transmit cardholder data and/or sensitive authentication data or could impact the security of the cardholder data environment. This includes all entities involved in payment account processing – merchants, processors, acquirers, issuers, and other service providers. Cardholder data and sensitive authentication data are considered to account data and are defined as follows:
Account Data |
|
Cardholder Data Includes |
Sensitive Authentication Data Includes |
-Primary Account Number (PAN)
-Cardholder Name -Expiration Date -Service Code |
-Full track data (magnetic stripe data or equivalent on a chip)
-Card verification code -PINs/PIN blocks |
Entities that outsource their payment environments or payment operations to third parties remain responsible for ensuring that the account data is protected by the third party per applicable PCI DSS requirements.
PCI SSC Software Standards
All software that stores, processes, or transmits account data or that could impact the security of account data, or a cardholder data environment is in scope for an entity’s PCI DSS assessment.
The entity’s PCI DSS assessment should include verification that the software is configured correctly and securely implemented to support applicable PCI DSS requirements. Additionally, suppose PCI-listed payment software has been customized. In that case, a more in-depth review will be required during the PCI DSS assessment because the software may no longer represent the initial validated version.
Implementing PCI DSS into Business Processes
To ensure that security controls continue to be properly implemented, entities should implement PCI DSS into business-as-usual (BAU) processes as part of their overall security strategy.
Examples of best practices for how PCI DSS should be incorporated into BAU activities include, but are not limited to:
- Monitoring of security controls to ensure they are operating effectively and as intended.
- They ensure that all failures in security controls are detected and responded to promptly.
- Reviewing changes to the environment (for example, the addition of new systems, changes in the system or network configurations) prior to completion of the change to ensure PCI DSS scope is updated and controls are applied as appropriate.
- It is formally reviewing the impact on PCI DSS scope and requirements after changes to organization structure (for example, a company merger or acquisition).
- Performing periodic reviews and communications to confirm that PCI DSS requirements continue to be in place and personnel are following secure processes.
- Review hardware and software technologies annually to confirm that they continue to be supported by the vendor and can meet the entity’s security requirements, including PCI DSS, and remediate shortcomings as appropriate.
Approaches for Implementing and Validating PCI DSS
- Assess the requirement and identify the gaps between the existing and required processes as per standard.
- Define goals to fill the gaps
- Implement a process to achieve goals
- Monitor the process from time to time and make the necessary changes as may be required to be compliant with the standards.
PCI DSS Requirements-
- Install and maintain network security controls;
- Apply secure configurations to all system components;
- Protect stored account data;
- Protect cardholder data with strong cryptography during transmission over open, public networks;
- Protect all systems and networks from malicious software;
- Develop and maintain secure systems and software;
- Restrict access to cardholder data by business need-to-know;
- Identify users and authenticate access to system components;
- Restrict physical access to cardholder data;
- Log and monitor all access to system components and cardholder data;
- Test security of systems and networks regularly;
- Support information security with organizational policies and programs.
Hope this helps to understand the PCI-DSS requirements in your business. For any further clarity or support, please feel free to reach out to Team @Businezexcellence.com.
Happy Reading
Shilpi Kulshrestha