PA-DSS
Payment Application Data Security Standard (POS, shopping carts, etc.)
PTS (POI)
Pin Transaction Security Point of Interaction Standard
... [Show More] (Attended and Unattended Devices)
HSM (PIN)
Hardware Security Module Pin Standard (not required but may assist in becoming compliant)
P2PE
Point to Point Encryption Standard (Most helpful standard to reduce scope)
SRED
Secure Read and Exchange Module allows terminals to be approved for secure encryption of cardholder data.
POI Examples
Attended : Cash Registers
Unattended Encrypted PIN Pads : ATM
Unattended Payment Terminals : Gas Pump
PCI PIN Security Requirements
Management
Processing
Transmission
Payment Card Flow
Cardholder presents card -> Acquirer asks payment brand to determine issuer -> Payment brand network determines issuer and requests approval-> Issuer approves purchase-> Payment brand network sends approval to the acquirer -> Acquirer sends approval to merchant-> Cardholder completes purchase and receives receipt.
Aquirer (Also Called?)
-Merchant Bank
-Independent Sale Organization (ISO)
-Payment Brand (Amex, Discover, JCB)
-Never Visa or Mastercard
Payment Card Flow (Clearing)
Acquirer sends purchase information to the payment brand network -> payment brand network sends purchase information to the issuer -> issuer prepares data for cardholder statement -> payment brand network provides complete reconciliation to acquirer.
Payment Card Flow (Settlement)
Issuer determines acquirer via the payment brand network -> Issuer sends payment to acquirer -> Acquirer pays merchant for cardholders purchase -> Issuer bills cardholder
Service Provider
A business that is not a payment brand, directly involved in the processing, storage or transmission of cardholder data on behalf of another entity. Sometimes a service provider is a merchant.
QIR's
Qualified Integrators and Resellers
-Assure quality and provide feedback
What QIR's do?
-Implementing applications into a merchant environment
-Integrating applications into new software or systems.
-Configuring the payment application
-Servicing payment applications to provide troubleshooting/remote updates or support.
PA-DSS Implementation Guide
-What the QIR uses in order to implement a PCI DSS compliant payment application into a CDE environment.
-After installation the QIR creates an implementation statement and gives it to the customer for their signature.
CID
Card Identification Number (American Express)
CAV2/CID/CVC2/CW2
Card specific code on back of card (Discover, JCB, Mastercard, Visa)
Cardholder Data
-PAN
-Cardholder Name
-Expiration Date
-Service Code
Sensitive Authentication Data
-Full magnetic stripe data or chip data
-CAV2/CVC2/CVV2/CID
-PINs/PIN blocks
-Cannot be stored after authorization
Track 1 Data
Contains all fields of Both Track 1 and Track 2
-Length up to 79 characters.
Track 2 Data
Provides shorter processing time for older dial up transmissions.
-Length up to 40 characters
Inventorying Cardholder Environment
-System Name
-Cardholder data stored
-Reason for storage
-Retention period
-Protection mechanism.
Is storing track data permitted after authorization?
No
PCI DSS Goals
-Build and maintain a secure network and systems
-Protect Cardholder Data
-Maintain a vulnerability management program
-Implement strong access control measures
-Regularly monitor and test networks
-Maintain an information security policy.
Requirement 1
Install and maintain a firewall configuration to protect cardholder data.
Requirement 2
Do not use vendor-supplied defaults for system passwords and other security parameters.
Requirement 3
Protect stored cardholder data. (Hashing, truncation, tokenization, and encryption)
Requirement 4
Encrypt transmission of cardholder data across open, public networks.
Requirement 5
Protect all systems against malware and regularly update anti-virus software or programs.
Requirement 6
Develop and maintain secure systems and applications. (Coding, patching)
Requirement 7
Restrict access to cardholder data by business need to know.
Requirement 8
Identify and authenticate access to system components. (Access control)
Requirement 9
Restrict physical access to cardholder data.
Requirement 10
Track and monitor all access to network resources and cardholder data. (Logs/Changes)
Requirement 11
Regularly test security systems and processes. (Vuln. Scans, PenTests, Network Scans)
Requirement 12
Maintain a policy that addresses information security for all personnel.
Masking
The first six and last 4 digits are the only account numbers viewable.
Storing track data "long-term" or "persistently" is permitted when ____________?
It is being used by issuers.
Requirement A1
Shared hosting providers must protect the cardholder data environment.
Requirement A2
SSL and Early TLS implementations. [Show Less]