What is PCI (Payment Card Industry)

PCI is a family of data security standards that is intended to secure processing infrastructure of payment industry.

• PCI DSS applies to any entity that processes, stores or transmits cardholder data
• Consistent global standard applies to banks, merchants, service providers and gateways

PCI DSS applies to CREDIT and DEBIT cards

Introduction to PCI DSS

• Joint effort of
  •    VISA International
  •    MasterCard Worldwide
  •    American Express
  •    Discover Financial Services
  •    JCB
• Managed by the PCI SSC on behalf of the Card Brands (Visa, MasterCard, AMEX, Discover and JCB)
• Current version of standard is 3.1 (April 2015)
• Includes 12 security requirements (approx. 300+ sub-requirements)
• Grouped into six control objectives.
• The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.
• PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
• The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
• PCI DSS applies to all entities involved in payment card processing—including merchants, processors, financial institutions, and service providers, as well as all other entities that store, process, or transmit cardholder data and/or sensitive authentication data.

Who must comply with PCI standard?

• As a global standard, the PCI DSS applies to any entity worldwide that stores, processes or transmits credit cardholder data.
• This includes financial institutions, merchants and service providers in all payment channels.
• Financial institutions include banks, insurance companies, lending agencies, and brokerages.
• Merchants include restaurants, retailers (brick-and-mortar, mail/telephone order, e-commerce), transportation operators, and virtually any point-of- sale that processes credit cards across all industries.
• Service providers include transaction processors, payment gateways, customer service entities, (i.e. call centres), managed service providers, web hosting providers, data centres, and Independent Sales Organizations.

Gap Assessment

• PCI DSS gap assessment, depending on the scope and size of the organization will normally be conducted in 3 days of onsite assessment.
• The deliverables of Gap Assessments will include:
  • Detailed requirement wise gaps identified and
  • The assessor recommendations in line with PCI requirements.
• Time frame: 3 days onsite + 1 week of gap assessment report writing
• Resources : 1 QSA + 1 Technical Consultant onsite
• Consultant offsite for 4 / 5 days for report writing
• QSA 2 days offsite for checking the report before releasing it to the client
• In case of large organizations like banks, service providers, BPOS with multiple sites/ locations the time frame can vary and so will be the costing

PCI DSS Implementation Challenges

• Fully understand and document the processes and payment environment
• Tracking and monitoring of access to payments card systems and data
• Controlling logical access (authentication) to systems containing payment card data
• Security event monitoring across a disparate environment
• Limited security capabilities (authentication, monitoring, etc…) of legacy systems
• Remediation of controls across large (often legacy) distributed environments
• Encryption of payment card data
• Putting PCI contractual language in place for third party service providers Obtaining management support to perform remediation