‫السعودية االلكترونية‬

College of‫الجامعة‬
Computing
‫الجامعة السعودية االلكترونية‬
and Informatics

IT Security and Policies

26/12/2021
1
 Security Program and Policies
Principles and Practices

by Sari Stern Greene

Week 14

Chapter 15: PCI Compliance for Merchants

1. Protecting Cardholder Data

3
Objectives
 Describe the PCI Data Security Standard framework
 Recognize merchant responsibilities
 Explain the 12 top-level requirements
 Understand the PCI DSS validation process
 Implement practices related to PCI compliance

4
Required Reading

1. Chapter 15 in Greene (2014)

5
Protecting Cardholder Data

6
Introduction
 Payment cards companies developed the Payment Card Industry
Data Security Standard (PCI DSS) in order to:
• Protect cardholders against misuse of their personal information and to
minimize payment card channel losses.
• Payment Cards examples: Visa, MasterCard, Discover, JCB International
and American Express
 In this chapter, we are going to examine the PCI DSS, version 3.0.

7
Protecting Cardholder Data
 PCI DSS applies to all system components where account data is stored, processed or transmitted.
• Account data
 Cardholder data plus sensitive authentication data.
• System components
 Any network component, server, or application that is included in, or connected to, the cardholder data
environment.
• Cardholder data environment
Table
The 15.1, account
people data
, processes consists
, and of cardholder
technology datacardholder
that handle plus sensitive
data authentication data
or sensitive authentication data.

8
Protecting Cardholder Data Cont.
 Figure shows the following elements located
on the front of a credit card:
1. Embedded microchip: contains the same
information as the magnetic stripe.
2. Primary account number (PAN).
3. Expiration date.
4. Cardholder name.

9
Protecting Cardholder Data Cont.
 Figure shows the following elements on the back of a credit card:
1. Magnetic stripe (mag stripe)—The magnetic stripe contains encoded data
required to authenticate, authorize, and process transactions.
2. CVV2/CVC2/CID—All refer to card security codes (Verification Numbers)
for the different payment brands.
 This system may be variously called
• CVV2 (Visa)
• CVC2 (MasterCard)
• CID (American Express)

10
What Is the PCI DSS Framework?
 The PCI DSS framework includes:
1. Stipulations/Condition regarding storage, transmission, and
processing of payment card data
2. Six core principles
• Build and maintain a secure network and systems
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy
3. Required technical and operational security controls
4. Testing requirements
5. Certification process
11
The 12 PCI Top Level Requirements
 The PCI DSS consists of 6 core principles, accompanied by the following 12
requirements:
Core Principles Requirements included
1. Build and maintain a secure 1. Install and maintain a firewall configuration to protect cardholder data
network and systems 2. Do not use vendor-supplied defaults for system passwords and security parameters
2. Protect Cardholder Data 3. Protect stored card data
4. Encrypt transmission of cardholder data across open, public networks
3. Maintain a Vulnerability 5. Protect all systems against malware and regularly update antivirus software or
Management Program programs
6. Develop and maintain secure systems and architecture
4. Implement Strong Access Control 7. Restrict access to cardholder data by business need-to-know
Measures 8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
5. Regulatory Monitor and Test 10. Track and monitor all access to network resources and cardholder data
Networks 11. Regularly test security systems and processes
6. Maintain an Information Security 12. Maintain a policy that addresses information security for all personnel
Policy

12
• PCI Compliance

13
PCI Compliance
 Compliance with PCI standards is not a government regulation or law.
 Complying with the PCI standards is a contractual obligation that applies
to all entities involved in the payment card channel, including merchants,
processors, financial institutions, and service providers, as well as all
other entities that store, process, or transmit cardholder data and/or
sensitive authentication data.
 *It’s mandated by the payment card brands to accept card payments
and/or be part of the payment system.
 Merchants are required to comply with PCI DSS
 A merchant is defined as any entity that accepts American Express, Discover, JCB,
MasterCard, or Visa payment cards as payment for goods and/or services
(including donations)
 Effectively, any company, organization, or individual that accepts card payments is
a merchant.
14
.PCI Compliance Cont
 PCI compliance validation is composed of four levels, based on the number of
transactions processed per year and whether those transactions are performed
from a physical location or over the Internet.
 Level 1
• Processes more than 6 million Visa payment card transactions annually.
 Level 2
• Processing 1 million to 6 million Visa transactions per year.
 Level 3
• Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per
year.
 Level 4
• Any merchant processing fewer than 20,000 Visa e-commerce transactions per
year, and all other merchants—regardless of acceptance channel—processing up to
1 million Visa transactions per year.

15
?What Is a Data Security Compliance Assessment
 Compliance Assessment is an annual onsite evaluation of compliance
with the PCI DSS conducted by either a Qualified Security Assessor
(QSA) or an Internal Security Assessor (ISA)
• Qualified Security Assessors (QSAs) are organizations/companies that
have been qualified by the PCI Council to have their employees assess
compliance to the PCI DSS standard.
• Internal Security Assessors (ISAs) are sponsor companies that their
internal assessors have been qualified by the council to perform internal
assess for their own company.

16
?What Is a Data Security Compliance Assessment
 Assessment process begins with documenting the PCI DSS cardholder
environment and confirming the scope of the assessment
 QSA/ISA will conduct an initial assessment (GAP assessment) identify
areas of noncompliance and provide remediation recommendations.
 Post-remediation, the QSA/ISA will conduct the assessment.

17
Compliance Assessment
 Compliance Assessment
 On-Site evaluation of compliance with PCI-DSS
 Assessment Methodology
1. Observe system settings
2. Observe processes and actions that use cardholder data
3. Review documentations
4. Interview system users
5. Run test data through system (Sampling)
 Create Report on Compliance (ROC) document

18
Report on Compliance
 ROC standard template includes the following:
 Section 1: Executive Summary
 Section 2: Description of Scope of Work and Approach Taken
 Section 3: Details About Reviewed Environment
 Section 4: Contact Information and Report Date
 Section 5: Quarterly Scan Results
 Section 6: Findings and Observations
 Compensating Controls Worksheets (if Applicable)
• Worksheets that give an organizations an alternative to security requirements
that cannot be met and provide suggestions to mitigate/control the risk
associated with the original requirements.

19
?What Is the SAQ
 Self Assessment Questionnaire (SAQ)
• A validation tool for merchants that are not required to submit to an onsite data
security assessment
 There are two parts to the SAQ:
 The controls questionnaire and
 Self-certified attestation/ confirmation ‫تصديق‬.
 In order to achieve compliance in question, the response to each question must
either be “yes” or an explanation of a compensating control.
 *If an entity cannot provide affirmative responses, it is still required to submit an
SAQ.
 To complete the validation process, the entity submits the SAQ and an
accompanying Attestation/confirmation of Compliance stating that it is or is not
compliant with the PCI DSS.
 If the attestation indicates noncompliance, a target date for compliance along with
an action plan needs to be provided.
20
?Are There Penalties for Noncompliance
 Three type of fines
1. PCI noncompliance
• Noncompliance penalties are discretionary/open and can vary greatly,
depending on the circumstances.
2. Account Data Compromise Recovery (ADCR) for compromised
domestic-issued cards.
3. Data Compromise Recovery Solution (DCRS) for compromised
international-issued cards.

Fine paid by issuing bank. May be passed on to merchant.

21
?Are There Penalties for Noncompliance
 In addition, the entity may be liable for the following penalties:
1. All fraud losses perpetrated using the account numbers associated
with the compromise.
2. Cost of reissuance of cards associated with the compromise
3. Any fraud prevention/detection costs incurred by credit card issuers
associated with the compromise.
4. Increased transaction fees.

 Fine paid by issuing bank. May be passed on to merchant.

22
Summary
 The Payment Card Industry Data Security Standard, known as PCI
DSS, applies to all entities involved in the payment card channel,
including merchants, processors, financial institutions, and service
providers, as well as all other entities that store, process, or
transmit cardholder data and/or sensitive authentication data
 The PCI DSS framework includes six core principles and 12
categories of required technical and operational security controls,
testing requirements, and a validation and certification process
 Compliance with PCI DSS is a payment card channel contractual
obligation. It is not a government regulation or law

23
Thank
You

24