This document provides an introduction to PCI-DSS (Payment Card Industry Data Security Standard). It defines key terms like PCI, cardholder data, and sensitive authentication data. It explains why PCI security standards are important to protect payment card data and prevent fraud. The document outlines the six goals and twelve requirements of PCI-DSS, as well as introducing PA-DSS which focuses on developing secure payment applications. It provides instructions on determining an organization's PCI compliance level and selecting the appropriate Self Assessment Questionnaire.

1. PCI-DSS
INTRODUCTION
Nguyen Ngo, Ninh Dang

2. Agenda
PCI-DSS Fundamental
 What is PCI-DSS
• Why are the PCI Security Standards Important?
• Key Definitions
 PCI Standards Boundary
 Recommended Understanding
Instruction
 Determine PCI-Level
 Validate Requirement
 Choose SAQ
Implementation
 Principles
 PCI-DSS-Requirements
 PA-DSS Requirements
 Self Assessment Questionnaire
 Report

3. PCI-DSS
Fundamental

4. Payment Card Data Issues
4

5. What is PCI ???
PCI stands for the Payment Card Industry and is used to refer to:
The PCI Security Standards Council ™(PCI SSC), an industry body
founded by the major card brands to protect cardholder data.
Founders:
The global Security Standards created and maintained by the PCI SSC
to protect cardholder payment data.
• Key Learning Point: Compliance with PCI Security Standards is
mandatory for merchants and their service providers, and is enforced
by the major card brands who established the PCI SSC
5

6. What is PCI DSS?
“The PCI Data Security Standard represents a
common set of industry tools and measurements
to help ensure the safe handling of sensitive
information…the standard provides an actionable
framework for developing a robust account data
security process - including preventing, detecting
and reacting to security incidents.”
– PCI Standards Council –

7. Why are the PCI Security
Standards Important?
The Standards are important because they:
Protect cardholder data in order to help prevent data compromises and
subsequent fraud activity…
• Customers expect merchants and their acquirers to keep their card
account data safe
• Data compromises can result in significant fines and losses for
merchants and can damage the merchant’s reputation with
customers
• The number of data compromise incidents is increasing annually –
organized criminal enterprises are targeting vulnerable merchants
7

8. PCI-DSS Object

9. Key Definitions
Data definitions
• Cardholder data: PAN (Primary Account Number), Cardholder Name, Service Code.
Expiration Code.
• Sensitive authentication data: Full Magnetic Stripe Data, CCV, PIN (Personal
identification number).
Keywords
• PCI-DSS: Payment Card Industry Data Security Standards
• PA-DSS : Payment Applications Data Security Standards
• PTS: PIN Transaction Security
• QSA: Qualified Security Assessor
• SAQ: Self Assessment Questionnaire
• ASV: Approved Scanning Vendor
9

10. PCI Standards Boundary
• The PCI Data Security Standard (PCI DSS) If a business accepts or processes
payment cards, it must comply with the PCI DSS. It is the standard merchants,
processors, and service providers must meet for the complete protection of payment
cardholder data.
• The Payment Application-Data Security Standard (PA-DSS) and PIN Transaction
Security (PTS) (previously known as PIN Entry Device (PED)) security requirements
support the overall implementation of PCI DSS by allowing merchants to choose from
Council certified payment application software and PIN entry devices.
10

11. Recommended Understanding
PCI DSS tells you what you need to do; what standards you need to
meet to be compliant
PCI DSS does not tell you how to become compliant. That is individual
to your situation and your environment
- Your system
- Your processes
- Your vendors
- Your customers
Being compliant does necessary make you secure
Being secure leads to compliance – not the other way around
11

12. Instructions

13. Instruction
•Determining your PCI Level
•Validation requirements
•Selecting the SAQ that Best Applies to Your
Organization
13

14. Determining your PCI Level
You need to assess where you are on the scale of risk:
Level 1
All Channels
6MM Visa or MC transactions per year
Level 2
All Channels
1MM - 6MM Visa or MC transactions per year
E-Commerce - >150,000 - 6 MM MC transactions per year
Level 3
20,000 - 150,000 e-commerce MC transactions per year
20,000 - 999,999 e-commerce Visa transactions per year
Level 4
<20,000 Visa or MC e-commerce transactions per year
<1MM non-e-commerce Visa or MC transactions per year
14

15. Validation requirements
Level 1 Merchants
Complete an Annual On-Site PCI Data Security Assessment in accordance with PCI Audit Procedures (Visa
website). You can use this template for your Report on Compliance (ROC).
Engage a Visa-approved Qualified Data Security Company to complete your ROC.
Validate the ROC by the due date (preferably sooner in case issues arise in the ROC. This will help eliminate
assessment of fines.)
Provide the ROC to Bank of America Merchant Services.
Merchant’s internal auditor may prepare the ROC, which must be accompanied by a letter signed by an
executive-level officer of Merchant’s organization validating the ROC.
Complete quarterly network scans to check your systems for vulnerabilities.
Complete annual penetration testing to test that your systems are hacker-resistant.
Ensure that these security scans are performed by a qualified independent scan vendor.
Level 2, 3 and 4 Merchants
Complete and validate an Annual PCI Self-Assessment Questionnaire.
Complete Quarterly Network Scans to check your systems for vulnerabilities.
Complete annual penetration testing to test that your systems are hacker-resistant.
Ensure that these security scans are performed by a qualified independent scan vendor.
15

16. Selecting the SAQ that Best Applies
to Your Organization
SAQ Description
A Card-not-present (e-commerce or mail/telephone-order) merchants, all
cardholder data functions outsourced. This would never apply to face-to-
face merchants.
B Imprint Only merchants with no electronic cardholder data storage, or
standalone, dial out terminal merchant with no electronic cardholder data
storage
C-VT Merchant using only web-based virtual terminals, no cardholder data storage
C Merchants with payment application systems connected to the internet, no
electronic cardholder data storage
D All other merchants not included in descriptions for SAQ types A through C
above, and all service providers defined by a payment brand as eligible to
complete an SAQ
16

17. Implements

18. Implement
•Determine Scope
•Rebuild system base on requirements
•Self Assessment Questionnaires
•Report
18

19. Determining Scope – Network
Segmented

20. Determining Scope – Network
Segmented

21. Determining Scope – Network
Segmented

22. Principles
SECURE  TRACK  AUDIT
• You need to ensure that your data is first secured …
both physical and electronically.
• You need to ensure you have mechanism in place to
track who access your data and when
• You need to review your tracking (audit) to look for
anomalies
22

23. PCI DSS – Requirements
Six Goals, Twelve Requirements
Build and Maintain a 1. Install and maintain a firewall configuration to protect
Secure Network cardholder data
2. Do not use vendor-supplied defaults for system passwords
and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public
networks
Maintain a Vulnerability 5. Use and regularly update anti-virus software or programs
Management Program
6. Develop and maintain secure systems and applications
Implement Strong 7. Restrict access to cardholder data by business need-to-know
Access Control
Measures 8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and 10.Track and monitor all access to network resources and
Test Networks cardholder data
11.Regularly test security systems and processes
Maintain an Information 12.Maintain a policy that addresses information security for
Security Policy employees and contractors
23

24. PA-DSS Introduction
Formerly known as -PABP (Payment Application Best Practices)
supervised by Visa
Goals
Develop secure payment applications that do not store
prohibited data, such as full magnetic stripe, CVV2 or PIN
data
Ensure their payment applications support compliance
with the PCI DSS
The requirements for the PA-DSS are derived from the PCI DSS
Why focus on software? Vulnerable payment applications are
currently the leading cause of data compromise incidents, particularly
for small merchants.
24

25. PA-DSS Requirements
Fourteen Requirements
Requirement 1 Do not retain full magnetic stripe, card validation code or value
(CAV2, CID, CVC2, CVV2), or PIN block data
Requirement 2 Protect stored cardholder data
Requirement 3 Provide secure authentication features
Requirement 4 Log payment application activity
Requirement 5 Develop secure payment applications (5.2 - OWASP Guide, SANS CWE Top 25,
CERT Secure Coding)
Requirement 6 Protect wireless transmissions
Requirement 7 Test payment applications to address vulnerabilities
Requirement 8 Facilitate secure network implementation
Requirement 9 Cardholder data must never be stored on a server connected to the Internet
Requirement 10 Facilitate secure remote software updates
Requirement 11 Facilitate secure remote access to payment application
Requirement 12 Encrypt sensitive traffic over public networks
Requirement 13 Encrypt all non-console administrative access
Requirement 14 Maintain instructional documentation and training programs
for customers, resellers, and integrators
25

26. SAQ Objectives
Self Assessment Questionnaires
• Based on industry feedback
• Flexibility for multiple merchant
Self-Assessment
Questionnaire (SAQ) A types
• Providing guidance for the intent
and applicability of the
underlying requirements
26

27. Self Assessment Questionnaires
SAQ
Validatio Description SAQ
n Type
Card-Not-Present (e-commerce or MO/TO) merchants, all A
1 cardholder data functions outsourced. This would never
apply to face-to-face merchants <11 Questions
B
2 Imprint-only merchants with no cardholder data storage
21 Questions
B
Stand alone dial-up terminal merchants, no cardholder data
3
storage 21 Questions
C
Merchants with payment application systems connected to
4
the Internet, no cardholder data storage 38 Questions
All other merchants (not included in descriptions for SAQs A, D
5 B or C above) and all service providers defined by a
payment brand as eligible to complete an SAQ Full DSS
27

28. Reports
Regular reports are required for PCI DSS
compliance.
All merchants, service providers and processors
may be required to submit quarterly scan
reports,
All reports must be performed by a PCI SSC
approved ASV
28

29. THANK YOU