PCI DSS Peneteration Testing and Compliance Basics

By : admin In: Articles, Blog March 8, 2016

PCI DSS Penetration Testing - Part I

PCI DSS Penetration Testing

This article about PCI DSS Penetration Testing will guide you through what is PCI DSS and what are the requirements needed to be fulfilled in order to be PCI Compliant and why we need to conduct PCI DSS Penetration Testing etc.

PCI DSS simply means Payment Card Industry Data Security Standard. PCI DSS is mandated by the major card brands like Visa, MasterCard, American Express, JCB and Discover and is administered by the PCI Security Standard Council (PCI SSC). This PCI Security Council was founded in 2006 jointly by the above said Credit/Debit Card giants. It was developed to encourage and enhance cardholder data security. PCI DSS applies to all entities involved in payment card processing including merchants, processors, acquirers, issuers and service providers. PCI DSS also applies to all other entities that store, process or transmit CardHolder Data (CHD) and/or Sensitive Authentication Data (SAD)

  To be simple and specific
  1. Major Card brands created the Security Standard Council (SSC) and now SSC is responsible for approving the DSS frameworks.
  2. PCI SSC developed the DSS, PA-DSS, PIN Standards, and conduct training and certification for QSA’s and ASV’s.
  3. Banks and Payment processors own the responsibility for enforcing the DSS.
  4. Merchants are responsible for implementing the DSS controls, as well as maintaining compliance.
 

Few Related Acronyms:

PCI – Payment Card Industry
SSC – Security Standard Council
DSS – Data Security Standard
PA – Payment Application
CHD – Card Holder Data
CDE – Cardholder Data Environment
SAD – Sensitive Authentication Data
PIN – Personal Identification Number
QSA – Qualified Security Assessor
ASV – Approved Scanning Vendor
ISA – Internal Security Assessor
SAQ – Self Assessment Questionnaire
SAD – Sensitive Authentication Data
RoC – Report on Compliance
   

PCI DSS Requirements

In PCI DSS there are 12 high-level requirements which fall into 6 categories as shown below: PCI DSS Category/Requirements This is also called PCI DSS Compliance or PCI DSS Requirements.     PCI DSS works across five main Domains:
  • Develop and maintain a global, industry-wide technical data security standard to protect card holders account information.
  • Reduce costs and lead times to implement the Data Security Standard. The council works to establish and ensure compliance with common technical standards and audit procedures.
  • Providing a list of globally available, qualified security solution providers on its website to help the industry become compliant.
  • Lead training, education, and a streamlined process for certifying Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASV’s). This provides a single source of approval recognised by all five founding members.
  • Provide a transparent forum, where all stakeholders can contribute to the on-going development, enhancement and dissemination of data security standards.
  • Provide a transparent forum, where all stakeholders can contribute to the on-going development, enhancement and dissemination of data security standards.
  • Compensating Controls may be considered when an entity  cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints but has sufficiently mitigated the risk associated with the requirement through implementation of other controls.
 

There are four levels of Merchants according to the PCI Standards
LEVEL 1:
Any merchant processing over six million Visa or MasterCard transactions per year is level 1 merchant.
LEVEL 2:
Any merchant processing between one and six million Visa or MasterCard transactions per year are level 2 merchant.
LEVEL 3:
Any merchant processing between 20,000 and one million Visa or MasterCard e-Commerce transactions per year are level 3 merchant.
LEVEL4:
Any merchant processing less than 20,000 Visa or MasterCard e-Commerce transactions per year are level 4 merchant.


Simple Question & Answers

Q: To whom does this standard apply?
A: It applies to any organization or merchant regardless of size that accepts, stores or transmits any cardholder data, regardless of number of transactions.
Q: What are Security and Compliant?
A: Security is to keep the environment safe, keep the business running whereas Compliance is aimed at meeting all the requirements.
The goal of Security is to keep the things safe. Compliance is meeting the requirement.
Q: Do I have to do all the 12 steps for being Compliant?
A: Yes you have to follow and complete the 12 requirements in order to be PCI DSS Compliant. 50% met the requirement doesn't mean you are compliant. There is no such thing as 50% compliant.

To be secured and PCI compliant you need to know where you lack controls from a card holder data protection perspective.This is done by regularly conducting PCI DSS Penetration Testing.

As PCI DSS is created to secure the cardholders data pci penetration test is a must. Provensec is an experienced service provider for PCI related penetration test. We have a dedicated PCI compliance team that helps us maintain sharp focus on PCI DSS requirements for Penetration Test. For more information you can Contact us.