Introduction to PCI DSS: What You Need to Know

This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant.

Why was PCI DSS developed?

The PCI Security Standards Council is a third-party organization that was developed for the sole purpose of managing the security of cardholder data. Prior to the PCI Security Standards Council, each payment card brand managed their own security standards.

Eventually, the payment card brands realized that it was counterproductive to have five different sets of standards that their clients had to audit against, thus, the PCI Security Standards Council and the PCI Data Security Standards were created. The PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The founding payment brands for the PCI Security Standards Council include Visa, Inc., MasterCard, Discover Financial, American Express, or JCB International.

Who are the participants in the PCI environment?

If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. The PCI Security Standards Council and payment card brands are major participants in the PCI environment and are responsible for tracking and enforcing PCI DSS compliance, penalties, fees, compliance deadlines, and the monitoring and facilitating of investigations. The other entities that are impacted by the PCI DSS compliance lifecycle are acquiring banks, issuing banks, merchants, service providers, and sub-service providers.

An acquiring bank is a bank or financial institution that processes card payments on behalf of a merchant. Acquirers are subject to payment brand rules and procedures regarding ensuring merchant compliance on behalf of the PCI Security Standards Council.

Issuing banks are the financial institutions that issue the payment cards on behalf of the payment card brands and who act as the middle man between the cardholder and the payment brand network.

Merchants accept the credit cards for payment and may store, process, or transmit cardholder data.

A service provider is any entity that stores, processes, or transmits cardholder data on behalf of a third-party (merchant), or otherwise have the ability to impact cardholder data security.

A sub-service provider is any entity that is acting on behalf of a merchant or service provider who has active access to their cardholder data environment.

Video Transcription

Introduction to PCI DSS

Hi, my name is Jeff Wilder and I am the Director of PCI Services here at KirkpatrickPrice. We wanted to develop a series of videos to talk about what the PCI DSS Security Standards are, who they apply to, and then later on, talk about the specific requirements about what you actually need to do to in order to become compliant.

We want to start off the series by talking a little bit about the players within the industry. The PCI Security Standards Council is a third-party independent organization that was established about 10 years ago for the sole purpose of managing the standards themselves. Prior to the PCI Security Standards Council, each card brand managed their own standards. They realized that it wasn’t in their best interest to have five different standards and have clients having to audit against so many different standards. So, they established the Council as the sole means of managing a set of security standards that need to be applied if you interact with a Visa, MasterCard, American Express, or JCB. So in this lifecycle, we have the PCI Security Standards Council, we have the card brands themselves, and we also have what we call acquiring banks. Now these acquiring banks – if you are a merchant having merchant relationship with a bank, if you accept a credit card for payment, you have a relationship with an acquiring bank. These acquiring banks are the entities that, really, are responsible for your compliance. They are responsible for you on behalf of the Council to ensure that you are compliant on a day-to-day basis. Next in the ecosystem, we have what we call issuing banks. Now, the issuing banks have a relationship with the individuals that have credit cards. They’re the ones that actually issue the cards. Of course we have the merchants – these are the organizations that accept the credit cards for payment. Then we have service providers. Now, service providers are any entity that would store, process, or transmit cardholder data on behalf of a third-party, or otherwise have the ability to impact the security of it. If you interact with payment card data in any way, if you store, process, or transmit it, or if you have the ability to impact someone else’s cardholder information or the security of that information, you are subject to the PCI DSS standards.

In this series of videos, we’re going to be going over the requirements and talking about, not so much just what does the PCI DSS Security Standards say and the individual requirements, but what it really means. How is that going to apply into your environment? What I’m going to try to do is provide you with some guidance based off my 10 years of experience in the industry as former Council member helping to develop these standards and training for the last 2.5-3 years, prior to becoming the Director here at KirkpatrickPrice. I’m going to bring to the table all of that knowledge and information for you to use at your discretion. So, hope you enjoy the videos. Thank you.

Mastering the PCI Audit Process Utilizing the Online Audit Manager Approach

It’s no secret that the PCI Data Security Standard is one of the most robust information security standards that exists. With approximately 400 controls, understanding all of the ins and outs of the standard can cause quite the headache without the proper resources and expertise.

When selecting a third party Qualified Security Assessor (QSA) to perform your PCI audit, we recommend choosing an auditor that can help with readiness as well as perform your actual audit. Working with an auditor on the front end of the audit process can help you to identify any gaps in your current controls and processes, and allow you time to mitigate and make any recommended changes before being audited for PCI compliance. Partnering with your QSA can lead to a truly educational and successful PCI audit experience.

To help ease the burden of information security requirements, KirkpatrickPrice has developed an innovative tool, known as the Online Audit Manager, that helps to streamline the audit process. This unique online methodology can help save you time, resources, and the headache that comes along with strenuous audit requirements, such as PCI DSS.

The Online Audit Manager is a tool that was developed based on experienced information systems and senior-level security auditors’ expertise. The OAM connects you with your specialized auditor quickly, so you can begin to receive remote guidance early in the PCI audit process. Your experienced auditor will work with you while you upload necessary documentation to complete your PCI audit, enabling you to complete 80% of the audit before your auditor ever steps foot onsite. Within the Online Audit Manager are loads of free resources that are available to help you create the most effective policies and procedures, ensuring that you have the proper controls in place to demonstrate your PCI compliance. The Online Audit Manager also gives you the flexibility to work on your PCI audit as you have the time and be able to easily divvy up the workload amongst appropriate personnel. Throughout the PCI audit process, you will have created the perfect audit trail that will demonstrate how you continue to improve and mature your security practices.

If you’d like to experience a free demo of the Online Audit Manager, contact us today. You won’t want to miss the opportunity to see the Online Audit Manager that will help make your PCI audit process, well, manageable.

Video Transcription

Our customers generally find that our approach is what sets us apart from anybody else that they might be talking to about their compliance needs. So, our approach is based on very experienced information systems and information security auditors, and also based heavily on an Online Audit Manager portal that is unique to KirkpatrickPrice.

What does that mean? The Online Audit Manager gives you the flexibility to work on your audit when you have the time to work on it, and to also connect you with our experienced auditors and then work through this process over a period of possibly several weeks, collecting the majority of that information before we actually come on site.

How does that help you? That helps you because now we’re able to spend a shorter time on sight, impacting your business even less than any other audit approach would.

Why do our customers choose us? Because we have a streamlined approach, we have efficient tools that create a great process and we have very experienced auditors to help them through their compliance needs.

How Do I Become Compliant with PCI?

Becoming PCI Compliant for the first time can be an overwhelming undertaking if you are unsure of where to start. With approximately 394 controls, this comprehensive data security standard can be a large undertaking that is best tackled with expert assistance.

The first step towards achieving PCI compliance is to have a Gap Analysis performed by a PCI expert. Working with a PCI expert will help you to understand all of your business processes and understand how PCI compliance impacts your unique business organization. Your PCI expert will work through each of the requirements with you, how they relate to your business, and allow you to see how your current security posture will stand up to a PCI audit. The Gap Analysis process will uncover any missing pieces you may have in your security, and leave you with a list of recommendations that you can spend time remediating to ensure that you have everything in place you need to pass your PCI audit.

Once you’ve completed the remediation process, it’s time to reconnect with your auditor to being the PCI audit process. Your PCI auditor will work with you through each of the PCI audit requirements, gather all of the necessary evidence and collect all documentation to complete the PCI assessment process for you. Compliance with the PCI DSS means compliance with all of the requirements, which are divided into the following 12 requirements:

The 12 PCI Requirements

  • Requirement 1: Install and Maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Requirement 5: Protect all systems against malware and regularly update anti-virus software programs
  • Requirement 6: Develop and maintain secure systems and applications
  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 8: Identify and authenticate access to system components
  • Requirement 9: Restrict physical access to cardholder data
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
  • Requirement 12: Maintain a policy that addresses information security for all personnel

Once the audit process is completed, you will receive your PCI Report on Compliance, or ROC, that demonstrates to your clients your compliance with the data security standard. If you’re ready to start the journey towards PCI Compliance, don’t hesitate to contact a PCI Qualified Security Assessor (QSA), like KirkpatrickPrice, to help you through the process, and eliminate the stress of a PCI audit and be confident you will receive your PCI Report on Compliance.

Video Transcription

We get a lot of questions about how do we become PCI compliant? So that process will begin with a Gap Analysis, and that Gap Analysis is going to be one of our PCI Experts spending some time with your organization, coming to an understanding of what it is you do to make money and how PCI compliance impacts your business, talking through your business processes, gaining a firm understanding of your technology platform, and how that supports your business. Then, working through each requirement, all of the nearly 300 requirements, helping you to understand what those requirements actually mean in your business.

The conclusion of the Gap Analysis process, you’ll end up with a list of things that you will need to work on to make sure that you have everything in place to pass the audit. Then you’ll step away and you’ll work on those remediations. When that is done, we’ll come back with our auditor and work through the audit process to gather all of the evidence, collect all of the documentation and complete the assessment process for you. When that is all done, then you will have your Roc (Report on Compliance), your attestation of compliance and you’ll be able to demonstrate to anyone who’s asking (whether it’s a card brand or your largest customer, or anybody really who is asking for your PCI compliance status) you’ll be able to provide them with that documentation.

What is PCI and DSS Compliance?

What is PCI and DSS Compliance?

This is a question KirkpatrickPrice, as a PCI QSA, is frequently asked. Let’s start with what it stands for.

PCI stands for the Payment Card Industry. When we talk about compliance, we’re talking about the PCI DSS, or Payment Card Industry Data Security Standard. The PCI DSS originated from efforts by major credit card brands (Visa, MasterCard, American Express, Discover, and JCB) to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.

PCI DSS 3.2, the current version of the standard, has approximately 394 controls. These controls are categorized under six control objectives and 12 major subject areas which address subjects such as firewall configuration, encryption, anti-virus, and information security policies. The standard’s purpose is to ensure that all of the data that lives within the Cardholder Data Environment, or CDE, is protected and secured from theft or unauthorized use. These 12 requirements are defined as follows:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Protect all systems against malware and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need to know
  8. Identify and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

If you are a merchant, service provider, or subservice provider who stores, processes, or transmits cardholder data, you are subject to comply with the PCI DSS. If you have any questions about the process or are looking for a PCI Qualified Security Assessor (QSA) to assist with your PCI compliance audit, contact us today.

Video Transcription

Randy Bartels of KirkpatrickPrice on PCI Compliance

PCI Compliance – what is it? We get this question a lot. PCI stands for the Payment Card Industry and they have a number of different standards. One of those standards is the Data Security Standard or the DSS. Nine times out of ten, when we’re talking to somebody about PCI compliance we’re talking to them about the Data Security Standard.

The Data Security Standard was born out of an initial effort by Visa and MasterCard, and was then joined by American Express, Discover and JCB. This is a set of nearly 300 requirements that reads kind of like a best practice document. So, these requirements are broken out into twelve domains, and those domains cover everything from firewall and having a secure network, to systems hardening and managing system configurations, to encryption in transit or in storage, antivirus, and all the way through to the very last domain covering information security policy and having an information security program.