Paym ent Card Industry
Data Security Standards
(PCI DSS)
for Merchants
Objectives
After completing this training, the merchant will be able to:
● Understand the purpose and requirem ents of PCI DSS
● Consider the consequences and how to avoid PCI DSS Non -Com pliance
● Evaluate methods for protecting cardholder data
Training
● Part 1: Introduction to PCI DSS
Outline
● Part 2: PCI DSS Non-
Compliance
● Part 3: Protecting the
Consum er
Scope: Who Needs This Training?
Merchants who provide products
or services that involve the
processing, storing, or
transm ission of account data.
Intro to PCI DSS
Key Compliance Players
PCI SSC- Paym ent Card Industry Security Standards Council
● Global industry standards body providing oversight on the ongoing developm ent,
enhancem ent, and implem entation of the Paym ent Card Industry Data Security
Standards (PCI DSS).
Paym ent Card Brands: Visa, Mastercard, American Express, Discover, JCB International
● All brands incorporate the PCI Data Security Standard into their data security
compliance program s
● Participate in the tracking and enforcem ent of merchant compliance deadlines
PCI DSS: An Overview
● PCI DSS - Paym ent Card Industry Data Security Standard
○ Standards that globally govern all entities that store, process, or transm it
cardholder data
○ Applicable to all merchants regardless of size/volum e
○ Requires annual assessm ent (either SAQ - Self Assessm ent Questionnaire or by
engaging QSA - Qualified Security Assessor)
○ Com prised of 12 requirem ents with a total of 220 sub-requirem ents
○ Pass or fail, no partial compliance
○ Com prised of both technical and non-technical security controls
PCI DSS Requirements
1. Install and maintain a firewall configuration to 7. Restrict access to cardholder data by
protect cardholder data business need to know
2. Do not use vendor-supplied defaults for system 8. Identify and authenticate access to
passwords and other security param eters system components
3. Protect stored cardholder data 9. Restrict physical access to cardholder
data
4. Encrypt transmission of cardholder data across
open, public networks 10.Track and monitor all access to
network resources and cardholder
5. Protect all system s against malware and
data
regularly update anti-virus software program s
11.Regularly test security system s and
6. Develop and maintain secure system s and
processes
applications
12.Maintain a policy that addresses
inform ation security for all personnel
PCI Merchant Levels and Validation Requirements
Level Criteria Requirem ents
Level 1 Merchants processing over 6 million Annual:
transactions annually across all channels. ● Report on Compliance (ROC) by a Qualified Security
Assessor (QSA)
● Submit an Attestation of Compliance (AOC)
Quarterly:
● Network scan by an Approved Scan Vendor (ASV)
Level 2 1 to 6 million transactions annually across all Annual:
channels ● Self-Assessm ent Questionnaire (SAQ) completed by a
certified Internal Security Assessor (ISA) or engage a QSA
for an Onsite Audit
● Submit an Attestation of Compliance (“AOC”) form.
Quarterly:
● Network scan by an Approved Scan Vendor (ASV)
PCI Merchant Levels and Validation Requirements
Level Criteria Requirem ents
Level 3 20,000 to 1 million e-com m erce transactions Annual:
annually ● Self-Assessm ent Questionnaire (SAQ)
● Submit an Attestation of Compliance (“AOC”) form.
Quarterly:
● Quarterly network scan by an Approved Scan Vendor (
ASV)
Level 4 Merchants processing less than 20,000 Annual:
ecomm erce transactions annually and all ● Self-Assessm ent Questionnaire (SAQ)
other merchants processing up to 1 million ● Submit an Attestation of Compliance (“AOC”) form.
transactions annually.
Quarterly:
● Quarterly network scan by an Approved Scan Vendor (
ASV) (if applicable)
Knowledge Check
True or False?
Merchants can select which of the 12 PCI DSS requirem ents
they feel best apply to their business to abide by?
True or False?
Merchants can select which of the 12 PCI DSS requirem ents
they feel best apply to their business to abide by?
Answer: False - Merchants must abide by all 12 requirem ents to
be considered passing compliance - no partial compliance.
PCI DSS Non-Com pliance
Consequences of Non-Compliance
● Account Data Breach
● Brand / Market Reputational Dam age
● Fine Assessm ents
● Account closure and/or loss of privilege to offer paym ent card
processing
Tools & Strategies to Avoid Non-Com pliance
● Annual Security Assessm ent - includes incident response plan in the
event of a data breach
● Quarterly Network Scans (as applicable)
● Consult with industry professionals (acquirer, qualified security
assessor, card brands, sponsor bank, vendors, etc.)
Knowledge Check
Practice Question
TRUE or FALSE:
Merchants can complete an annual security assessm ent to
avoid non-com pliance penalties?
Practice Question
TRUE or FALSE:
Merchants can complete an annual security assessm ent to
avoid non-com pliance penalties?
Answer: True - Perform ing an annual security assessm ent will
address requirem ents to avoid non-com pliance penalties.
Protecting the Consum er
Best Practices for Protecting Data
● Encryption
● Tokenization
● Truncation and Masking
Encryption
● PCI requires all transm ission of cardholder data over the Internet to be
encrypted at all times.
● Not all encryption is created equal.
● If encryption keys are used, key managem ent processes and policies
must be follow ed.
● In paym ents, most processors and gatew ays use Hardw are Security
Modules to encrypt/decrypt data.
Tokenization
● Uses softw are and/or hardware to substitute prim ary account
number (PAN) with meaningless digits.
● Can be reversible or irreversible.
● Merchants and service providers never see PAN.
● Does not reduce or eliminate PCI compliance scope but does
effectively limit the amount of cardholder data in the environm ent.
Truncation and Masking
● Truncation applies to storage of PAN and renders portions of the PAN
unreadable and unrecoverable.
● Masking is a technique to “mask” portions of the PAN before it is
displayed or printed. The full PAN is still stored.
● Truncated PAN is NOT considered cardholder data.
● Masked PAN IS considered cardholder data since the full PAN is still be
stored.
● Use truncation over masking whenever possible.
What is PII?
Personally Identifiable Inform ation (PII) is any data that could potentially be used to
identify a particular person.
● Full Name ● Bank account number
● Social Security Number ● Email address
● Driver’s License Number ● Credit Card number, Debit Card
Number, Account number
● State Issued ID card number combined with a security code,
access code, PIN or password.
Processing, Storing, and Sharing PCI & PII
● Must be encrypted when being transm itted over public Internet.
● Storing CVV, PIN block, and service code is prohibited by PCI.
● Store only what is necessary for business operations.
● PII data protection laws vary by state to state.
● Make every effort to “de-value” data by using truncation and
tokenization.
● Privacy policy dictates how, what, and with whom PII data is stored and
shared.
Knowledge Check
Practice Question
TRUE or FALSE:
Data can be sent over a public network unencrypted?
Practice Question
TRUE or FALSE:
Data can be sent over a public network unencrypted?
Answer: False - Data must be encrypted when transm itted over
public internet.
Knowledge Check-
Final Assessm ent
Question 1:
In PCI DSS an SAQ is a:
A. Single Account Quota
B. Self Assessm ent Questionnaire
C. Security Assessm ent Questionnaire
D. Security Applicability Quiz
Question 2:
VISA, MasterCard, American Express, and Discover are referred to as:
A. Paym ents processors
B. Paym ent card brands
C. Merchants
D. PCI SSC
Question 3:
Access to cardholder data should be based on:
A. Business convenience
B. Employee’s mood
C. Business need to know
D. Workload for the day
Question 4:
Which one below is not PII?
A. Social Security Num ber
B. Driver’s License Number
C. Email Address
D. Favorite Color
Question 5:
TRUE or FALSE?
Truncated PAN is still considered cardholder
data.
Question 6:
An annual Report on Com pliance (ROC) is required from a merchant at
which PCI Level?
A. Level 1
B. Level 2
C. Level 3
D. Level 4
Question 7:
TRUE or FALSE:
Merchants never see PAN when tokenization is utilized.
Question 8:
PCI Com pliance is mandatory for merchants accepting what
volum e of credit card transactions annually?
A. Less than 1 million transactions annually
B. From 1 million to 6 million transactions annually
C. More than 6 million transactions annually
D. All merchants regardless of size must be compliant if
they accept credit cards
Question: 9
TRUE or FALSE?
Merchants should use vendor-supplied defaults for system
passw ords and other security param eters.
Question 10:
Best practices for protecting cardholder data include all the
follow ing except:
A. Tokenization
B. Encryption
C. Truncation
D. Covering
Answer Key
Q1: B Q6: A
Q2: B Q7: TRUE
Q3: C Q8: D
Q4: D Q9: FALSE
Q5: FALSE Q10: D
Congratulations!
Your successful completion of this course serves as
acknowledgem ent of the PCI DSS requirem ents. Thank you for
protecting our consum ers!
For additional PCI DSS information,
please visit: https://www.pcisecuritystandards.org/