Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Requirements
The current version of the standard is version 2.0, released on 26 October 2010. PCI DSS version 2.0 must be adopted by all organisations with payment card data by 1 January 2011, and from 1 January 2012 all assessments must be under version 2.0 of the standard. PCI DSS version 2.0 has two (2) new or evolving requirements out of 132 changes. Remaining changes and enhancements falls under the category of clarification or additional guidelines.[2] The table below summarizes the differing points from version 1.2 of 1 October 2008[3] and specifies the 12 requirements for compliance, organized into six logically-related groups, which are called control objectives.
Control Objectives Build and Maintain a Secure Network PCI DSS Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security
History
PCI DSS originally began as five different programs: Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program. Each companys intentions were roughly similar: to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. The Payment Card Industry Security Standards Council (PCI SSC) was formed, and on 15 December 2004, these companies aligned their individual policies and released the Payment Card Industry Data Security Standard (PCI DSS). In September 2006, the PCI standard was updated to version 1.1 to provide clarification and minor revisions to version 1.0.
Payment Card Industry Data Security Standard Version 1.2 was released on October 1, 2008.[4] Version 1.1 "sunsetted" on December 31, 2008.[5] v1.2 did not change requirements, only enhanced clarity, improved flexibility, and addressed evolving risks/threats. In August 2009 the PCI SSC announced[6] the move from version 1.2 to version 1.2.1 for the purpose of making minor corrections designed to create more clarity and consistency among the standards and supporting documents.
Payment Card Industry Data Security Standard of call center personnel, are often unencrypted, and generally do not fall under the PCI DSS standards outlined here.[18] Home-based telephone agents pose an additional level of challenges, requiring the company to secure the channel from the home-based agent through the call center hub to the retailer applications.[19] To address some of these concerns, on January 22, 2010 the Payment Card Industry Security Standards Council issued a revised FAQ about call center recordings.[20] The bottom line is that companies can no longer store digital recordings that include CVV information if those recordings can be queried. Though the council has not yet issued any requirements, technology solutions can completely prevent skimming (credit card fraud) by agents. At the point in the transaction where the agent needs to collect the credit card information, the call can be transferred to an Interactive Voice Response system.[21] This protects the sensitive information, but can create an awkward customer interaction. Newer solutions allow the agent to "collect" the credit card information without ever seeing or hearing it. The agent remains on the phone and customers enter their credit card information directly into the Customer Relationship Management software using their phones. The DTMF tones are converted to monotones so the agent cannot recognize them and so that they cannot be recorded.[22] The benefits of increasing the security around the collection of personally identifiable information goes beyond credit card fraud to include helping merchants win chargebacks due to friendly fraud.[23]
Payment Card Industry Data Security Standard Gonzalez and two unnamed Russian hackers.[31] Assessments examine the compliance of merchants and services providers with the PCI DSS at a specific point in time and frequently utilize a sampling methodology to allow compliance to be demonstrated through representative systems and processes. It is the responsibility of the merchant and service provider to achieve, demonstrate, and maintain their compliance at all times both throughout the annual validation/assessment cycle and across all systems and processes in their entirety.[32] Therefore, these frequently cited breaches and their pointed use as a tool for criticism even to the point of noting that Hannaford Brothers had, in fact, received its PCI DSS compliance validation one day after it had been made aware of a two-month long compromise of its internal systems;[33] fail to appropriately assign blame in their blasting of the standard itself as flawed as opposed to the more truthful breakdown in merchant and service provider compliance with the written standard, albeit in this case having not been identified by the assessor. Other, more substantial, criticism lies in that compliance validation is required only for Level 1-3 merchants and may be optional for Level 4 depending on the card brand and acquirer. Visa's compliance validation details for merchants state that level 4 merchants compliance validation requirements are set by the acquirer,[34] Visa level 4 merchants are "Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually". At the same time 80% of payment card compromises since 2005 affected Level 4 merchants.[35]
Compliance as a snapshot
The state of being PCI DSS compliant might appear to have some temporal persistence, at least from a merchant point of view. In contrast, the PCI Standards Council General Manager Bob Russo has indicated that liabilities could change depending on the state of a given organisation at the point in time when an actual breach occurs.[36]
Costs
Similar to other industries, a secure state could be more costly to some organisations than accepting and managing the risk of confidentiality breaches. However, many studies have shown that this cost is justifiable.[37]
References
[1] Sidel, Robin (2007-09-22). "In Data Leaks, Culprits Often Are Mom, Pop" (http:/ / online. wsj. com/ article/ SB119042666704635941. html?mod=sphere_ts). The Wall Street Journal. . [2] http:/ / grc360. net/ cms/ 2010/ pci-dss-ver-2-0-quick/ [3] PCI DSS - PCI Security Standards Council (https:/ / www. pcisecuritystandards. org/ security_standards/ pci_dss. shtml) [4] PCI SECURITY STANDARDS COUNCIL RELEASES VERSION 1.2 OF PCI DATA SECURITY STANDARD (https:/ / www. pcisecuritystandards. org/ pdfs/ pr_080930_PCIDSSv1-2. pdf) [5] Supporting Documents PCI DSS (https:/ / www. pcisecuritystandards. org/ security_standards/ supporting_documents_home. shtml) [6] https:/ / www. pcisecuritystandards. org/ pdfs/ statement_090810_minor_corrections_to_standards. pdf [7] Information Supplement: Requirement 11.3 Penetration Testing (https:/ / www. pcisecuritystandards. org/ documents/ information_supplement_11. 3. pdf) [8] Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified (https:/ / www. pcisecuritystandards. org/ pdfs/ infosupp_6_6_applicationfirewalls_codereviews. pdf) [9] Navigating the PCI DSS - Understanding the Intent of the Requirements (https:/ / www. pcisecuritystandards. org/ pdfs/ pci_dss_saq_navigating_dss. pdf) [10] "PCI DSS Wireless Guidelines" (https:/ / www. pcisecuritystandards. org/ pdfs/ PCI_DSS_Wireless_Guidelines. pdf). . Retrieved 2009-07-16. [11] "Dont Let Wireless Detour your PCI Compliance" (http:/ / www. airtightnetworks. com/ fileadmin/ pdf/ whitepaper/ PCI_Wireless_Whitepaper. pdf). . Retrieved 2009-07-22. [12] "Walk Around Wireless Security Audits The End Is Near" (http:/ / www. airtightnetworks. com/ fileadmin/ pdf/ whitepaper/ WP_WalkAroundWireless. pdf). . Retrieved 2009-07-22. [13] "Webinar on Wireless Security as SaaS by Gartner Analyst John Pescatore" (http:/ / www. airtightnetworks. com/ fileadmin/ content_images/ news/ webinars/ SaaS/ player. html). gartner.com. . Retrieved 2009-04-24.
External links
PCI DSS Standard (https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml) PCI Quick Reference Guide (https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf)
License
Creative Commons Attribution-Share Alike 3.0 Unported http:/ / creativecommons. org/ licenses/ by-sa/ 3. 0/