In several earlier publications, we have already considered some international standards in the field information security. However, they mainly belonged to in-house , i.e. internal company infrastructure. The most clear understanding of information security comes when security is directly related to finance, when it shows in numbers its significant impact on business. Therefore, today we will talk about security in financial institutions such as banks, credit organizations, paying agents, etc. They're all doing money transfers, which means they fall within the scope of the industry standardPCI DSS(Payment Card Industry Data Security Standard)

Standard PCI DSS is designed to ensure the security of processing, storage and transmission of data about payment card holders in information systems companies working with international payment systems Visa , MasterCard and others. Standard developed by the community PCI Security Standards Council, which includes world leaders in the payment card market, such as American Express, Discover Financial Services, JCB, MasterCard Worldwide And Visa International. Standard requirements PCI DSS spread for all companies that process, store or transmit data about payment card holders (banks, processing centers, service providers, e-commerce systems, etc.). In Russia, compliance with the standard PCI DSS became mandatory for use in relevant organizations since 2007.

According to the study results Analysys Mason, approximately 42% of cloud service providers comply with the payment card industry data security standards (PCI DSS, Payment Card Industry Data Security Standard). They apply worldwide and apply to all organizations that process credit cards, and also store or transmit information about their holders. This standard was introduced to give the payment card industry more control over sensitive data and eliminate the possibility of data leakage. It is also designed to ensure that consumers are protected from fraud or identity theft when they use credit cards.

According to both the Visa and MasterCard classifications, systems that process, store or transmit data on more than 6 million transactions per year are classified as first level (Level 1) and are obliged annually undergo an audit .

HISTORY OF THE DEVELOPMENT OF THE STANDARD

1.0 is the initial version of the standard.

1.1 - adopted in September 2006.

1.2 - adopted in October 2008.

2.0 - adopted in October 2010.

3.0 - adopted in November 2013.

3.1 - adopted in April 2015.

PCI DSS version 3.0

“The new version of PCI-DSS 3.0 will make the standard an organic part of normal business operations,” Bob Russo, chief executive officer of the Payment Card Industry Security Standards Council (PCI SSC), told eWeek. “We want to try to wean people off the idea that PCI-DSS can be dealt with once a year and then not think about it. In real situations, gaps often arise.

PCI-DSS was often seen only as a basis for checking a company for compliance with regulations, when it is possible to tick the box that this moment everything is in order, and calmly move on to other matters. Bob Russo emphasized that the new standard PCI-DSS 3.0 There is an emphasis on training and policy, making payment security a daily concern and part of an ongoing routine. The bottom line is that the standard will help provide more consistent process-oriented control, which is especially important for large organizations. And it also reinforces the emphasis on ongoing accountability rather than just occasional PCI-DSS audits.

One of the criticisms of the PCI-DSS standard is the lack of clarity in its provisions. For example, a standard might require an organization to deploy a Web Application Firewall (WAF) without detailing the required firewall configuration or even explaining why it is needed. This criticism was expressed in a clear and forceful manner by PCI SCC members, and necessitated the development of a new and improved standard.

In previous versions of the standard, there were always two columns explaining a particular security control requirement. The first column stated the requirement, and the second gave details of the testing procedure. IN PCI-DSS standard 3.0, there should be a third column, which Leach says will contain real-life examples of the risks that the security control aims to mitigate.

So, in the case of WAF, the new standard will explain what this technology can do and what types of risks it will help mitigate.

One of the important changes in the PCI-DSS 3.0 standard relates to the use of passwords. Over the past three years, the PCI SCC has conducted a number of studies on password strength that have helped formulate new requirements.

One of the PCI-DSS 3.0 requirements that retailers will need to meet is timely detection of malicious code. Regulation 5.1.2 has been added to ensure that any person processing payment card data has a robust risk management process in place in this area.

PCI-DSS 3.0 continually emphasizes the need for flexibility in security management, which must be achieved in a variety of continually evolving ways.

PCI DSS version 2.0

On October 28, 2010, a new version of the standard was released PCI DSS , namely version 2.0. The changes made to the document regulating the industry can hardly be called radical; they are mainly in the nature of clarifications and clarifications. In addition, some audit procedures have been grouped in a new way to make them easier to understand and perform during an audit.

Although version 2.0 of the standard came into force on January 1, 2011, payment card industry participants can use the previous version until the end of 2011. This initiative of the PCI SSC Council allows for a gradual transition to new version. The next version will be produced by the PCI SSC over a three-year life cycle.

PCI DSS requirements

PCI DSS defines the following six control areas and 12 core security requirements.

Construction and maintenance of a secure network

• Requirement 1: Install and maintain firewalls to protect cardholder data.
• Requirement 2: non-use of system passwords and other security settings set by default by manufacturers.

Protecting cardholder data

• Requirement 3: Ensure that cardholder data is protected during storage.
• Requirement 4: Ensure that cardholder data is encrypted when transmitted over public networks.

Vulnerability management program support

• Requirement 5: Use and regularly update antivirus software.
• Requirement 6: Develop and maintain secure systems and applications.
• Implement strict access control measures
• Requirement 7: Limit access to cardholder data to a business need.
• Requirement 8: assigning a unique identifier to each person with access to the information infrastructure.
• Requirement 9: Limiting physical access to cardholder data.

Regular network monitoring and testing

• Requirement 10: Control and tracking of all access sessions to network resources and cardholder data.
• Requirement 11: Regular testing of security systems and processes.

Information security policy support

• Requirement 12: Development, maintenance and execution of an information security policy.

Despite all the openness of the standards, many people still have questions. We will try to answer some of them below.

1. Who is covered by PCI DSS?

First of all, the standard defines the requirements for organizations in whose information infrastructure data is stored, processed or transmitted. payment cards, as well as to organizations that may influence the security of this data. The purpose of the standard is quite obvious - to ensure the security of payment cards. Since mid-2012, all organizations involved in the process of storage, processing and transfer of WPC must comply with the requirements PCI DSS , and companies in the territory Russian Federation are no exception. To understand whether your organization is subject to mandatory compliance with the requirements of the standard PCI DSS , we suggest using a simple block diagram.

The first step is to answer two questions:

• Is payment card data stored, processed or transmitted within your organization?
• Can your organization's business processes directly impact the security of payment card data?

If the answers to both of these questions are negative, get certified according to PCI DSS no need. In the case of at least one positive answer, as can be seen in Figure 1, compliance with the standard is necessary.

2. What are the PCI DSS requirements?

Compliance with the standard requires fulfillment of the requirements, which are summarized in twelve sections shown in the table below:

If we go a little deeper, the standard requires passing about 440 verification procedures, which should give a positive result when checking for compliance with the requirements.

3. How can I demonstrate compliance with the PCI DSS standard?

There are various ways to confirm compliance with the requirements of the standard PCI DSS , which consist in carrying out external audit (QSA) , internal audit (ISA) or Self-Assessment Q (SAQ) organizations.

The features of each of them are illustrated in the table.

Despite the apparent simplicity of the presented methods, clients often encounter misunderstandings and difficulties when choosing the appropriate method. An example of this is the emerging questions below.

4. In what situation is it necessary to conduct an external audit, and in which - an internal one? Or is it enough to limit ourselves to the organization’s self-assessment?

The answers to these questions depend on the type of organization and the number of transactions processed per year. It cannot be a random choice because there are documented rules governing which method an organization will use to demonstrate compliance with a standard. All these requirements are established by international payment systems, the most popular of them in Russia are Visa And MasterCard. There is even a classification according to which two types of organizations are distinguished: trade- service companies (merchants) and service providers.

Trade and service enterprise is an organization that accepts payment cards for payment for goods and services (shops, restaurants, online stores, gas stations, etc.). A trade and service enterprise is an organization that accepts payment cards for payment for goods and services (shops, restaurants, online stores, gas stations, etc.).

Depending on the number of transactions processed per year, merchants and service providers may be classified into different tiers.

Let's say a trade and service enterprise processes up to 1 million transactions per year using e-commerce. By classification Visa And MasterCard(Fig. 2) the organization will belong to level 3. Therefore, to confirm compliance PCI DSS It is necessary to conduct a quarterly external scanning of vulnerabilities of ASV (Approved Scanning Vendor) information infrastructure components and an annual SAQ self-assessment. In this case, the organization does not need to collect evidence of compliance, since this is not necessary for the current level. The reporting document will be the completed SAQ self-assessment sheet.

ASV scanning (Approved Scanning Vendor)— automated checking of all connection points of the information infrastructure to the Internet in order to identify vulnerabilities. According to the requirements of the PCI DSS standard, this procedure should be performed quarterly.

Or consider the example of a cloud service provider that processes more than 300 thousand transactions per year. According to the established classification Visa or MasterCard, the service provider will be classified as level 1. This means, as indicated in Figure 2, it is necessary to conduct a quarterly external scan of the vulnerabilities of ASV information infrastructure components, as well as an external annual QSA audit.

It is worth noting that the bank involved in the process of accepting payment cards for payment for goods or services, the so-called acquiring bank, as well as international payment systems (IPS ) can redefine the level of the trade and service enterprise connected to them or the service provider used according to their own assessment risks. The assigned level will take precedence over the classification of the international payment system indicated in Figure 2.

The Payment Card Industry Data Security Standard PCI DSS describes information security requirements and is applicable to all organizations that process, store and transmit cardholder data. Visa cards, MasterCard, JCB, Discover, American Express. Such organizations include banks, retail stores, e-commerce systems, payment solution providers, data centers and others.

The certification scheme for an organization according to the PCI DSS standard depends on its role in the payment process and the amount of cardholder data processed. As an example, consider the certification of service providers, which include banks, payment gateways and data centers. If the volume of processed card data exceeds 300,000 transactions per year, such organizations must undergo an annual QSA certification audit and perform an automated ASV scan of network vulnerabilities. For fewer transactions, simply complete a Self-Assessment Questionnaire (SAQ) and perform an ASV scan.

However, regardless of the method of confirming compliance, the requirements of the standard must be met in full in the network segment allocated for the payment infrastructure. To solve this problem, we offer a specialized set of consulting services, united by the goal of implementing PCI DSS in an organization and its subsequent certification according to this standard.

PCI DSS (Payment Card Industry Data Security Standard) is a document that describes the rules for ensuring the security of information about payment card holders during its processing, transmission or storage.

The PCI DSS standard was developed by the Payment Card Industry Security Standards Council (PCI SSC). PCI SSC was founded by leading international payment systems - Visa, MasterCard, American Express, JCB, Discover. PCI SSC publishes information about its activities on its website.

The requirements of the PCI DSS standard apply to organizations that process information about payment card holders. If an organization stores, processes or transmits information about at least one card transaction or payment card owner during the year, then it must comply with the requirements of the PCI DSS standard. Examples of such organizations are trade and service enterprises (retail stores and e-commerce services), as well as service providers related to the processing, storage and transmission of card information (processing centers, payment gateways, call centers, storage media backup copies data, organizations involved in card personalization, etc.).

By bringing your information infrastructure into compliance with PCI DSS requirements, you will increase the level of security of your card data processing environment. By doing so, you will reduce the risk of financial losses from information security incidents and comply with the requirement of international payment systems to comply with this standard.

The main goal of compliance with the requirements of the PCI DSS standard is to increase the level of security of the information infrastructure, which is precisely why the standard was developed. From this we can conclude that the standard will be useful to everyone who thinks about the security of their information.

The PCI DSS standard contains detailed information security requirements, divided into 12 thematic sections:

• use of firewalls;
• rules for setting up equipment;
• protection of stored data about payment card owners;
• use of cryptographic means of protection when transmitting data;
• use of antiviral agents;
• secure development and support of applications and systems;
• managing user access to data;
• account management;
• ensuring physical security;
• data security monitoring;
• regular testing of systems;
• development and support of information security policy.

The PCI DSS standard does not contain requirements for the use of specific technical solutions, hardware models and software versions. PCI DSS sets requirements for the organization of information security processes, the functionality of information security tools, their configuration and application settings.

You can download the current version 1.2 of the PCI DSS standard.

All PCI DSS requirements are mandatory. Some requirements may not apply to your organization due to the lack of certain components of the information infrastructure, for example, if you do not use wireless networks, then your company is not subject to wireless network security requirements. If you are unable to meet a particular requirement of a standard due to limitations imposed by law, business processes, or technology, you can use compensating measures. The basic rule for selecting compensating measures is that the compensating measure must reduce the same risk as the requirement of the standard that cannot be met due to limitations.

The requirements of the PCI DSS standard apply to systems used to process, store and transmit data about payment card holders, as well as systems that have a network connection with them (systems, connections to which are not protected by a firewall).

Yes, individual ATM subsystems involved in the processing, storage and transmission of data about payment card holders are included in the scope of the PCI DSS standard.

As the PCI standard evolves, SSC makes changes to the text and publishes new versions of the document on the website www.pcisecuritystandards.org. From October 1, 2008 to the present, version 1.2 of the PCI DSS standard is current.

According to the programs for checking compliance with PCI DSS requirements established by international payment systems, a number of organizations are required to undergo an annual audit. Compliance testing programs differ for merchants and service providers.

Merchants conducting more than six million card transactions per year must undergo an annual audit. Regarding service providers, international payment VISA system requires an annual audit of all processing centers and service providers processing more than 300,000 transactions per year, and MasterCard requires all processing centers and service providers processing more than one million transactions per year. You can find a detailed description of PCI DSS compliance verification procedures.

Companies with QSA (Qualified Security Assessor) status are entitled to conduct audits for compliance with the PCI DSS standard. The official list of companies with this status is available on the PCI SSC website. A company with QSA status must employ certified QSA auditors.

The timing of the audit depends on the size of the scope of the PCI DSS standard, as well as on the characteristics of the company's infrastructure. On average, an audit at a company site lasts three days.

Based on the results of the audit of the compliance of your information infrastructure with the requirements of the standard, the QSA auditor will prepare a Report on Compliance containing detailed information on the implementation of each of the PCI DSS requirements. The audit results will provide insight into where resources should be directed first to improve the security of the payment card processing environment.

According to the requirements of international payment systems, if inconsistencies in the information infrastructure are identified with the requirements of the PCI DSS standard, you need to prepare an Action Plan to eliminate them. The recommendations of the QSA auditor who performed the compliance review will assist in the preparation of the Action Plan.

International payment systems provide for the imposition of penalties on organizations that are required to undergo an annual external audit of PCI DSS compliance, but do not pass it.

In this case, in order to comply with the requirement of international payment systems to undergo an annual external audit, the security policy will have to be changed, which, according to PCI DSS, must take into account all the requirements of the standard.

A certificate of compliance is issued after an audit, if the company's payment infrastructure fully complies with the requirements of the PCI DSS standard.

Conducting external and internal penetration tests is regulated by requirement 11.3 of the PCI DSS standard. A penetration test should be performed annually and also after significant changes have been made to a company's payment infrastructure. A penetration attempt carried out by a specialist who implements a set of vulnerabilities in accordance with a given attacker model clearly demonstrates the level of security of the payment environment. Please note that a penetration test performed by a specialist has nothing in common with an automated scan.

Quarterly scanning of the external perimeter of a company's payment infrastructure, performed by an approved scanning vendor (ASV), is a mandatory part of PCI DSS compliance procedures. You can find a detailed description of PCI DSS compliance verification procedures.

If you haven't found the answer to your question, don't despair. Send it to us and we will gladly try to answer it as soon as possible.

Last name and first name:

Email:

Recently, Visa and MasterCard have increasingly required PCI DSS compliance from payment gateways, merchants connected to them, as well as from service providers that may affect the security of card data. In this regard, the issue of compliance with the PCI DSS standard becomes important not only for major players payment card industry, but also for small trade and service enterprises. In this article, we will answer the main questions that concern organizations faced with the task of PCI DSS certification.

PCI DSS FAQ for those interested in certification

# Who is covered by PCI DSS?

First of all, the standard defines requirements for organizations in whose information infrastructure payment card data is stored, processed or transmitted, as well as for organizations that can influence the security of this data. The purpose of the standard is quite obvious - to ensure the security of payment cards. Since mid-2012, all organizations involved in the process of storing, processing and transferring DPC must comply with PCI DSS requirements, and companies in the Russian Federation are no exception.

To understand whether your organization is subject to mandatory PCI DSS compliance, we suggest using a simple flowchart.

Figure 1. Determining whether you need PCI DSS compliance

The first step is to answer two questions:

• Is payment card data stored, processed or transmitted within your organization?
• Can your organization's business processes directly impact the security of payment card data?

If the answers to both of these questions are negative, there is no need to become PCI DSS certified. In the case of at least one positive answer, as can be seen in Figure 1, compliance with the standard is necessary.

# What are the PCI DSS requirements?

To comply with the standard, requirements must be met, which are summarized in the twelve sections shown in the table below.

Table 1. Top-level requirements of the PCI DSS standard

If we go a little deeper, the standard requires passing about 440 verification procedures, which should give a positive result when checking for compliance with the requirements.

# How can you confirm compliance with the PCI DSS standard?

There are various ways to confirm compliance with PCI DSS requirements, which include: external audit (QSA), internal audit (ISA) or self-assessment (SAQ) of the organization. The features of each of them are illustrated in the table.

Table 2. Methods for confirming compliance with the PCI DSS standard

External audit QSA (Qualified Security Assessor)	ISA Internal Audit (Internal Security Assessor)	Self-Assessment SAQ (Self Assessment Questionnaire)
Performed external audit organization QSA, certified by the PCI SSC Council.	Performed internal trained and certified under the PCI SSC Council program auditor.Can only be carried out if primary compliance has been confirmed by a QSA audit.	Performed on one's own by filling out a self-assessment sheet.
As a result of the check QSA auditors collect evidence of implementation	As a result of the check ISA auditors, as with an external audit, collect evidence of implementation requirements of the standard and retain them for three years.	Collection of evidence meeting the requirements of the standard not required.
Based on the results of the audit a compliance report is being prepared- ROC(Report on Compliance).	Self-filling SAQ self assessment sheet.

Despite the apparent simplicity of the presented methods, clients often encounter misunderstandings and difficulties when choosing the appropriate method. An example of this is the emerging questions below.

# In what situation is it necessary to conduct an external audit, and in what- interior? Or is it enough to limit ourselves to the organization’s self-assessment?

The answers to these questions depend on the type of organization and the number of transactions processed per year. It cannot be a random choice because there are documented rules governing which method an organization will use to demonstrate compliance with a standard. All these requirements are established by international payment systems, the most popular of which in Russia are Visa and MasterCard. There is even a classification according to which two types of organizations are distinguished: trade and service enterprises (merchants) and service providers.

Depending on the number of transactions processed per year, merchants and service providers may be classified into different tiers.

Let's say a trade and service enterprise processes up to 1 million transactions per year using e-commerce. According to the classification of Visa and MasterCard (Fig. 2), the organization will belong to level 3. Therefore, to confirm compliance with PCI DSS, it is necessary to conduct a quarterly external scan of the vulnerabilities of information infrastructure components ASV (Approved Scanning Vendor) and an annual self-assessment SAQ. In this case, the organization does not need to collect evidence of compliance, since this is not necessary for the current level. The reporting document will be the completed SAQ self-assessment sheet.

Or consider the example of a cloud service provider that processes more than 300 thousand transactions per year. According to the established classification of Visa or MasterCard, the service provider will be classified as level 1. This means, as indicated in Figure 2, it is necessary to conduct a quarterly external scan of the vulnerabilities of ASV information infrastructure components, as well as an external annual QSA audit.

Figure 2. Classification of levels and requirements for confirming compliance with the PCI DSS standard

# Does a one-time violation of ASV scan deadlines pose a serious risk from a PCI DSS compliance perspective?

An organization that receives PCI DSS status must regularly meet certain requirements, such as conducting quarterly ASV scans. During the initial audit, it is enough to have a documented ASV scanning procedure and the results of at least one successful execution over the last three months. All subsequent scans should be quarterly, the period of time should not exceed three months.
Violation of the schedule for external vulnerability scanning entails the imposition of additional requirements on the information security management system in the organization. Firstly, it will still be necessary to conduct an ASV scan for vulnerabilities and achieve a “green” report. And secondly, it will be necessary to develop an additional procedure that will not allow such schedule violations in the future.

Finally

The main conclusions can be expressed in a quote from Peter Shapovalov, information security engineer at Deuterium LLC:

“Despite the fact that on the territory of the Russian Federation its own National system payment cards (NSCP), the requirements of international payment systems have not been abolished. On the contrary, recently there have been more frequent letters from Visa and MasterCard to acquiring banks that the latter require compliance with the PCI DSS standard from payment gateways, merchants connected to them, as well as from service providers that may influence the security of card data . In this regard, the issue of compliance with the PCI DSS standard becomes important not only for large players in the payment card industry, but also for small merchant and service enterprises. Relevant for Russian market is now a managed services service. It consists in the fact that the service provider provides clients with not only equipment or virtual information infrastructure for rent, but also services for its administration in accordance with the requirements of the PCI DSS standard. This is especially useful for small trade and service enterprises that do not have their own departments information technologies and information security. Turning to certified service providers helps to significantly simplify the PCI DSS certification process for merchants and ensure the protection of payment card data at the proper level.”

As an example of a company providing managed PCI DSS services (not only rental of PCI DSS infrastructure, but also its administration in accordance with the requirements of the standard), we can cite

About the standard

PCI DSS (Payment Card Industry Data Security Standard) is a payment card industry data security standard developed by the Payment Card Industry Security Standards Council (PCI SSC), which was established by Visa, MasterCard, American Express, JCB and Discover .

The requirements of the standard apply to all companies working with international payment systems: banks, trade and service enterprises, technology service providers and other organizations whose activities are related to the processing, transmission and storage of data about payment card holders.

PCI DSS - Comprehensive Security Guide

The PCI DSS standard puts forward requirements for the security of infrastructure components in which information about payment cards is transmitted, processed or stored. Checking the payment infrastructure for compliance with these requirements reveals reasons that significantly reduce its level of security. Penetration tests, which are included in the list of mandatory activities regulated by the PCI DSS standard, show the real level of security of a company’s information resources both from the position of an attacker located outside the perimeter being studied, and from the position of a company employee who has access “from within.”

The PCI DSS Council has formulated key requirements for organizing data protection in the document “Payment Card Industry Data Security Standard (PCI DSS). Safety assessment requirements and procedures. Version 3.0". These requirements are grouped in such a way as to simplify the security audit procedure.

Download PCI DSS in Russian.

PCI DSS Security Assessment Requirements and Procedures

Build and maintain secure networks and systems

• Requirement 1: “Establish and maintain firewall configurations to protect cardholder data.”
• Requirement 2. “Do not use system passwords and other security settings set by the manufacturer by default.”

Protect cardholder data

• Requirement 3. “Protect stored cardholder data.”
• Requirement 4: “Encrypt cardholder data when transmitted over public networks.”

Maintain a vulnerability management program

• Requirement 5: “Protect all systems from malware and regularly update antivirus software.”
• Requirement 6: “Develop and maintain secure systems and applications.”

Implement strict access control measures

• Requirement 7. “Limit access to cardholder data in accordance with business needs.”
• Requirement 8: “Identify and authenticate access to system components.”
• Requirement 9. “Limit physical access to cardholder data.”

Carry out regular monitoring and testing of networks

• Requirement 10: “Track and monitor all access to network resources and cardholder data.”
• Requirement 11. “Test security systems and processes regularly”

Maintain information security policy

• Requirement 12. “Maintain an information security policy for all employees.”

“Prospective Monitoring” helps banks, trade and service enterprises, and developers of financial services prepare for an audit for compliance with PCI DSS and provides expert support in meeting the requirements of the standard.