The Payment Card Industry Data Security Standard (PCI DSS) is a set of standards to ensure cardholder data security. It was founded in 2004, with the mission of enhancing the mindful processing of sensitive authentication data (SAD) within the cardholder data environment (CDE). The PCI DSS compliance requirements encompass all the organizations which store, process or transmit their customer’s sensitive data. However, some organizations which aren’t exclusively storing, processing or transmitting cardholder data might have to be PCI DSS compliant, depending on how they interact with the parties who exclusively do otherwise.
If an organization stores either of the data, they have to be PCI compliant.
Data leaks are a prevalent problem among transaction-based companies. That’s why, the big 5 transactional card-providing companies came together to draft a comprehensive list of requirements and checklist to protect the Cardholder data (Primary Account Number (PAN), Cardholder Name, Expiration Date and Service Code) along with the Sensitive Authentication Data (Full track data (magnetic-stripe data or equivalent on a chip), Card verification code and PINs/PIN blocks) of a customer.
1. Install and Maintain Network Security Controls.
2. Apply Secure Configurations to All System Components
3. Protect Stored Account Data.
4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks.
5. Protect All Systems and Networks from Malicious Software.
6. Develop and maintain secure systems and applications.
7. Restrict Access to System Components and Cardholder Data by Business Need to Know.
8. Identify Users and Authenticate Access to System Components.
9. Restrict physical access to cardholder data.
10.Log and Monitor All Access to System Components and Cardholder Data.
11.Test Security of Systems and Networks Regularly.
12.Support Information Security with Organizational Policies and Programs.
Do you know what distinguishes Kratikal from others? We have your trust! We are one of the top 10 cyber security solution provider firms in India. We believe in a client-centric approach and dedication to ensuring that best practices are adopted for the Organizations. Our strategy? We focus on optimising our client's chances of achieving PCI DSS compliance, it is essential to offer holistic solutions and complete compliance.
Our team of certified cybersecurity compliance experts have hands-on experience on best of industry SIEM, network monitoring and data loss prevention tools. Our experts have joined hands with various organizations of a wide range of industries and thus, hold expertise in standard, industry-based and regulatory compliances. Kratikal’s compliance implementers and QSAs are well-versed in international IT frameworks and act, hence, delivering an optimized solution unique to your organization.
During this phase, Kratikal will ensure that all processes involving card numbers are covered during the gap and scope assessment. We will carry out the following tasks:
1. Identify processes that access/store/process cardholder information (beginning with the 16-digit PAN).
2. Schedule meetings with concerned process owners.
3. Obtain policies and procedures in the organization and verify compliance with all 12 PCI DSS requirements.
4. Begin discussions with the IT department to understand the network and application architecture.
5. Conduct process audits to ensure the adequacy of IT and security processes.
6. Prepare and present the gap report to the stakeholders.
7. Prepare a remediation road map and prioritize activities based on risk exposure and PCI DSS implementation priority to approach.
After the Gap Assessment phase is completed, a separate team of technical and process experts will provide remediation support. We will also assist in the development of necessary information and cyber security policies and procedures. We will begin risk assessment activities after basic training. Recommendations on how to close the gaps identified in the previous phase will be documented, and key teams will be assigned responsibility. In this section, two support are involved -
a. PCI Scope reduction / Segmentation Support -
1. Provide recommendations on PCI Scope reduction
2. Scoping Assistance - Assist the team in finalizing the implementation controls for the PCI DSS scope reduction.
b. Non-Technical Implementation Support -
1. Review and develop necessary PCI DSS policy, process and procedures.
2. Conduct policy / process awareness sessions for IT/Security teams and business users who are part of the PCI DSS scope.
3. Provide assistance in building stable and secure processes across customers in PCI DSS compliance.
4. Assist in risk assessment and risk mitigation planning.
During this phase, we assist our customers with the following PCI DSS-related steps:
1. Helping in maintaining PCI DSS Compliance
2. Helping in Maintaining activities like information security policy, procedure reviews.
3. Training and Awareness.
A Qualified Security Assessor (QSA) examines the customer's information security controls in detail against each section of the PCI DSS Report on Compliance during an official PCI DSS audit and certification (RoC). The exact details of 'What he did' as part of the audit and 'What he saw' in relation to each clause of the PCI DSS will be included in the RoC. The RoC will be built in accordance with the PCI SSC's RoC reporting instructions. Following the audit, the customer will receive complete audit documentation, including the official RoC.
Small and mid-size
Threats Recorded in
PCI DSS is a regulatory compliance standard and has 12 sets of requirements that must be met by all organizations dealing with cardholder data. This compliance doesn’t have controls which give implementers the liberty to meet the needs as per their resources and understanding.
To address the crucial issue of payment application security, the PCI Security Standards Council (SSC) maintains the PA-DSS or Payment Application Data Security Standard. The PA-DSS requirements are made to ensure that vendors deliver goods that aid retailers' attempts to maintain PCI DSS compliance and do away with the storing of sensitive cardholder data.
ASV is a data security firm using a scanning solution to verify the client’s compliance with PCI DSS external vulnerability scanning requirements. Organizations falling in LEVEL 1 must get a PCI network scan done by an ASV every quarter.
No, Organizations which qualify and receive PCI DSS training and certification can build their internal team to strengthen their approach to payment data security. An ISA has to coordinate with a QSA for end-to-end compliance.