PCI DSS Requirement 1
Install and maintain a firewall configuration to protect cardholder data
PCI DSS Requirement 2
Do not use vendor supplied
... [Show More] defaults for system passwords and other security parameters
PCI DSS Requirement 3
Protect stored cardholder data by enacting a formal data retention policy and implement secure deletion methods
PCI DSS Requirement 4
Protected Cardholder Data during transmission over the internet, wireless networks or other open access networks or systems (GSM, GPRS, etc.)
PCI DSS Requirement 5
Use and regularly update anti-virus software or programs
PCI DSS Requirement 6
Develop and maintain secure systems and applications
PCI DSS Requirement 7
Restrict access to cardholder data by business need to know
PCI DSS Requirement 8
Assign a unique ID to each person with computer access
PCI DSS Requirement 9
Restrict physical access to cardholder data
PCI DSS Requirement 10
Track and monitor all access to network resources and cardholder data
PCI DSS Requirement 11
Regularly test secuirty systems and processes with wireless scans, vulnerability scnas, log audits, ASV (Approved Scanning Vendor)
PCI DSS Requirement 12
Maintain a policy that addresses information security for all personnel
ASV (Approved Scanning Vendor)
Company approved by the PCI SSC to conduct external vulnerability scanning services.
PCI Data Security Standards (PCI DSS)
Covers the security of the environments that store, process or transmit account data.
Environments receive account data from payment applications and other sources (e.g. acquirers)
PCI Payment Application Data Security Standards
(PCI PA-DSS)
Covers secure payment applications to support PCI DSS compliance.
Applies to Third Party payment applications if the application performs authorization and/or settlement (POS, shopping carts, etc.)
Ensures a payment application can function in a PCI DSS compliant manner
PA-DSS applications are in scope for PCI DSS
Payment application receives account data from PIN Entry Devices (PED) or other devices and begins payment transaction
PCI PIN Transaction Security (PCI PTS)
Covers device tamper detection, cryptographic processes and other mechanisms to protect the Personal Identification Number (PIN).
Encrypted PIN is passed to payment application or hardware terminal.
PCI-PTS - PIN Security
Covers secure management, processing and transmission of personal identification number data during online and offline payment card transaction processing
PCI-PTS - HSM (Hardware Security Module or Host Security Module)
A physically and logically protected hardware device that provides a secure set of cryptographic services, used for cryptographic key-management functions and/or the decryption of account data. Not required by DSS, but may help with the management of keys.
PCI Point to Point Encryption (PCI P2PE)
Covers encryption, decryption and key management within secure cryptographic devices (SCD). Not a requirement but may result in reduction of scope.
Secure Cryptographic Device (SCD)
A set of hardware, software and firmware that implements cryptographic processes (including cryptographic algorithms and key generation) and is contained within a defined cryptographic boundary. Examples of secure cryptographic devices include host/hardware security modules (HSMs) and point-of-interaction devices (POIs) that have been validated to PCI PTS.
POI - Point of Interaction
The initial point where data is read from a card. An electronic transaction-acceptance product, a POI consists of hardware and software and is hosted in acceptance equipment to enable a cardholder to perform a card transaction. The POI may be attended or unattended. POI transactions are typically integrated circuit (chip) and/or magnetic-stripe card-based payment transactions.
PCI Card Production
Covers physical and logical security requirements for systems and business processes associated with card personalization, PIN generation, PIN mailers, and card carriers and distribution.
CDE - Cardholder Data Environment
The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data.
Relationship between PTS and PCI DSS
DSS prevents the storage of encrypted PIN blocks. PTS supports the PIN encryption so there's no overlap.
Relationship between PCI DSS and PA-DSS
Payment applications must support and not hinder PCI DSS compliance
PCI DSS requirements mirrored in many payment application requirements in PA-DSS
Relationship between PCI DSS and P2PE
Incorporates requirements from Pin Transaction Security, PCI DSS, PA-DSS and PCI PIN to protect CHD from the point of capture until it reaches the payment processor.
Properly implemented, validated P2PE solutions may help reduce the scope of a merchant's PCI DSS assessment.
Payment Processor
Entity engaged by a merchant or other entity to handle payment card transactions on their behalf. While they typically provide acquiring services, payment processors are not considered acquirers unless defined as such by a payment card brand.
CHD - Card Holder Data
At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not stored) as part of a payment transaction.
PA-DSS applies to third party payment applications
if application performs authorization and/or settlement (POS, shopping carts, etc.)
in a PCI DSS compliant manner by supporting the compliance of those that use the application.
PA-DSS ensure a payment application functions
True
True or False:
Use of a PA-DSS application alone does not guarantee PCI DSS compliance.
Assessor must validate that payment application is installed
per instructions in the PA-DSS implementation Guide provided by payment application vendor and in a PCI DSS compliant manner. [Show Less]