PCI Standard & Your Professional Role Flashcards
An independent industry standards body providing oversight of the development and management of Payment Card Industry Data Security Standards on a global basis.
PCI SSC
PCI SSC founding payment brands include:
- American Express
- Discover Financial
- JCB International
- MasterCard
- Visa
The resources provided by PCI SSC:
- PCI DSS, PA-DSS, P2PE, PTS(POI, HSM and PIN),Card Production, and supporting documents - PCI Security Standards Council FAQs
- Education and outreach programs
- Roster of QSAs, PA-QSAs, PCIPs, ASVs, validated payment applications, PTS Devices, and P2PE solutions
- Participating organization membership, community meetings, feedback
Each payment brand develops and maintain its own ————— programs in accordance with its own security risk management policies
PCI DSS compliance
Data Security Operating Policy (DSOP)
American Express
Discover Information Security Compliance (DISC)
Discover
Data Security Program
JCB
Site Data Protection(SDP)
MasterCard
Cardholder Information Security Program (CISP) Account Information Security (AIS) Program
VISA
Payment brands’ compliance programs include:
- Tracking and enforcement - Penalties, feed, compliance deadlines
- Validation process and who needs to validate
- Definition of merchant and service provider levels
Payment brands are also responsible for:
- Defining rules for forensic investigations and responding to account data compromises
- Monitoring and facilitating investigations of account data compromises to completion
Covers Security of the environments that store, process, or transmit account data
PCI DSS
Covers secure payment applications to support PCI DSS compliance
PCI PA-DSS
Covers encryption, decryption, and key management requirements for point-to-point encryption solutions
PCI P2PE
Covers the protection of sensitive data at point-of-interaction devices and their secure components
PCI PTS-POI
Covers secure management,processing and transmission of personal identification number (PIN) data
PCI PTS-PIN Security
Covers physical,logical,and device security requirements for securing Hardware Security Modules (HSM)
PCI PTS-HSM
Covers physical and logical security requirements for entities involved in producing payment cards
PCI Card Production
Covers physical and logical security requirements for Token Service Providers that generate and issue EMV Payment Tokens
PCI Token Service Provider Requirements (TSP)
Covers the risk framework to protect the confidentiality and integrity of sensitive payment information captured and processed on a cardholder verification method (CVM) solution
PCI Software-Based PIN Entry on COTS Security Requirements (SPoC)
Covers the secure design and development processes of payment software. (Transition Plan for PA-DSS)
PCI Software Security Standard (S3)
Covers the security requirements for assessing 3-D Secure (3DS) entities that perform the following 3DS functions:
- Access Control Server(ACS)
- Directory Server (DS)
- 3DS Server (3DSS)
PCI 3DS Core Security Standard
Covers the security requirements for “app based” 3-D Secure Software Development Kits(SDK) as defined in the 3-D Secure SDL Specification managed and maintained by EMVCo
PCI 3DS SDK Standard
Functions of Payment Application Data Security Standard (PA-DSS)
- Provides a list of validated applications to choose from
- Validated applications are proven to facilitate PCI DSS compliance
- Does it guarantee compliance?
- For applications that are sold/licensed to others
- Must have a PA-DSS Implementation Guide
Roles of Qualified Integrator and Reseller (QIR)
- Are certified to perform Qualified Installations of Payment applications
- Focus on 3 problems: remote access, accounts and passwords, patching.
- Leave behind an Implementation statement saying what they did
- The Implementation statement is not an evaluation or certification of compliance
- Purely Informational
- Could list problems found
Note: Even though the software vendor may have developed an application which is capable of being secure, the integrator/Reseller must ensure it is implemented properly and in a secure manner to facilitate PCI DSS compliance
Is the algorithm process of transforming plaintext into unreadable cipher text, and is the core technology for any point-to-point encryption solution
Encryption
In _______________ encryption occurs at one designated and independently validated encryption device or location in a card transaction (the source or encryption point), and the data is sent as unreadable cipher text for decryption to another designated and independently validated decryption device (the destination or decryption point). The data remains encrypted between the source and the destination, with no decryption of the data feasible at any point between the two points
P2PE solutions
The __________ is that encrypted cardholder data in transit is protected to the extent that an entity in possession of the cipher text alone cannot reverse the encryption process
Presumption of P2PE
A PCI P2PE solution must include all of the following:
- Secure encryption of payment card data at the point-of-interaction (POI)
- P2PE-validated application(s) at the point-of-interaction
- Secure management of encryption and decryption devices
- Management of the decryption environment and all decrypted account data
- Use of secure encryption methodologies and cryptographic key operations, including key generation, distribution, loading/injection, administration and usage
Merchants may be able to reduce their PCI DSS scope when using Council-listed P2PE solutions:
- Merchant has no access to account data within encryption device (POI) or decryption environment (at Solution Provider) - Merchant has no involvement in encryption or decryption operations, or cryptographic key management - All cryptographic operations managed by third party Solution Provider
PCI DSS applies to all entities involved in payment card processing, and any entity that _______,_______, or _______ account data
Stores, processes, or transmits
___________ covers security for any system components included in or connected to a merchant’s or service provider’s cardholder data environment (CDE)
PCI DSS
What are the relationships to PA-DSS and PCI DSS
- Payment applications must facilitate and not prevent PCI DSS compliance - Many payment application requirements in PA-DSS address equivalent PCI DSS requirements
What are the relationships to P2PE and PCI DSS?
- Incorporates requirements from PTS, PCI DSS, PA-DSS, and PCI PIN to protect account data from the point of capture until it reaches the payment processor - When properly implemented and maintained, Council-listed P2PE solutions may help reduce work involved during a merchant’s PCI DSS assessment
PTS requirements apply to….
- Point of Interaction (POI) Devices - Encrypting PIN Pads (EPP) - Point of Sale devices (POS) - Hardware (or host) Security Modules (HSMs) - Unattended Payment Terminals (UPTs) - Non-PIN Entry module
The PTS Program ensures terminals cannot be 1️⃣________ or 2️⃣__________ to allow the capture of 3️⃣_____________, nor allow access to 4️⃣_________ PINs or keys
1️⃣ manipulated 2️⃣ attacked 3️⃣ Sensitive Authentication data 4️⃣ clear-text
The 1️⃣________________, allows terminals to be approved for the secure encryption of cardholder data as part of the point to point encryption program
1️⃣ Secure Read and Exchange Module (SRED)
1️⃣_____ has been extended to allow non-PIN entry modules to be evaluated against the SRED module to allow secure encryption at the point of interaction for non-chip and PIN cards
PTS
These requirements provide for secure PIN:
✔️Management ✔️Processing ✔️Transmission
Protection of personal identification number (PIN) data during online and offline payment card transaction processing at:
🔹ATMs 🔹Attended point-of-sale (POS) terminals 🔹Unattended point-of-sale (POS) terminals
The ______________ also provide guidance on key management and key handling associated with the PIN
PCI PIN Security requirements
PCI PTS-POI and PCI DSS
💬PCI DSS requires that account data be protected both when stored and when transmitted across open, public networks
💬PCI PTS POI validates how POIs protect PIN and account data and manage cryptographic keys
💬PCI PTS POI approved devices may form part of a PCI DSS compliant environment
PCI PTS -PIN Security Standard and PCI DSS
💬PCI DSS prohibits storage of encrypted PIN blocks 💬No overlap
PCI Card Production and PCI DSS
💬No overlap
💬Procedures for assessing Card production facilities are defined and managed by the payment brands, not by PCI SSC
PCI PTS-HSM and PCI DSS
💬PCI DSS requires that stored cardholder data be protected and cryptographic keys be managed in a secure manner
💬Used of a Hardware Security Module is not required by PCI DSS, but may help with handling and managing keys used to protect stored cardholder data
To ensure information security professionals adhere to the highest standards of ethical and professional conduct
Code of Professional Responsibility
All PCI SSC Qualified individuals and all PCI SSC qualification candidates must agree to advocate, adhere to, and support the following Code of Professional Responsibility include:
🔸Professional Competence and Due Care 🔸Security and Confidentiality 🔸Integrity 🔸Compliance with Industry Laws and Standards
A PCIP qualification is valid for _________
3 years
Payment Card Industry Terminology
Customer purchasing goods either as a “Card Present” or “Card Not Present” transaction Receives the payment card and bills from the issuer
Cardholder
Bank or other organization issuing a payment card on behalf of a Payment Brand (e.g. MasterCard & Visa) Payment Brand issuing a payment card directly (e.g. Amex, Discover, JCB)
Issuer
Organization accepting the payment card for payment during a purchase
Merchant
Bank or entity the merchant uses to process their payment card transactions Receive authorization request from merchant and forward to Issuer for approval Provide authorization, clearing and settlement services to merchants
Acquirer
Acquirer is also called:
- Merchant Bank
- ISO(sometimes)
- Payment Brand-Amex, Discover, JCB
- Never Visa or MasterCard
Draw the diagram of Card Processing-Authorization steps
Draw the diagram of Card Processing-Clearing steps
Draw the diagram of Card Processing-Settlement steps
A business that is not a payment brand, directly involved in the processing, storage or transmission of cardholder data on behalf of another entity.
Service Providers
Sometimes a service provider is a _________
merchant
There are two options for third-party service providers to validate compliance:
- Undergo a PCI DSS assessment on their own and provide evidence to their customers demonstrating their compliance
or
- Have their services reviewed during the course of each of their customers’ PCI DSS assessments
It’s important to understand where the service provider’s scope begins and ends for PCI DSS, for example:
- The service(s) included in the service provider’s PCI DSS validation.
- The PCI DSS requirements covered by the service provider’s PCI DSS validation.
- Any PCI DSS requirements related to the service which are the responsibility of the service provider’s customers to maintain.
- The date of the service provider’s last PCI DSS validation.
- The type and frequency of evidence provided by the service provider to their customers will depend on the agreement between those parties.
- Entities must monitor the PCI DSS compliance of their third-party service providers per PCI DSS Requirement 12.8 (Maintain and implement policies and procedures to manage service providers with which cardholder data is shared, or that could affect the security of cardholder data)
