After yet another discussion about PCI Compliance and the issues pertaining to it with yet another client with little knowledge, I decided to try to break down compliancy in a clear direct manner. I hope this helps.
As mentioned in my previous post, the PCI Security Standards Council was founded by 5 major card brands: Visa, MasterCard, JCP, Discover and American Express. It was based on their separate programs as I mentioned. The PCI SSC was founded to develop the standards by which everyone would measure how securely they would be keeping credit card holder data. Card Holder Data (chd) as it is known in the industry consists not only of the credit card number but the magnetic stripe data held on the card and the code on the back of the card.
Part One: Determine Your Organization’s Role
The first part is to understand your organization’s role within PCI. Since most organizations can become members of the PCI SSC, they can participate in developing the standards by which compliancy is measured.
The Credit Card Brands determine the level of requirements for compliance under their own individual companies. Currently merchants are divided into 4 groups, Levels 1-4. However, each of the Credit Card Brands use different numbers to determine which level a merchant or service provider may fall within those levels. All service providers and merchants should be sure to read over the individual Credit Card Brand company programs to understand which level they fall under.
Acquiring Banks are tasked with ensuring that their merchants are compliant with the credit card brand program requirements. They can be stringent or not depending on the bank. Some banks even have stricter requirements.
Service Providers fall in the same area as merchants as both must be compliant. Service Providers offer services to help the merchant through collecting, storing, processing, and transmitting card holder data.
Merchants are those organizations offering goods and services for cash or credit. They hold merchant accounts at Acquiring Banks. When a data breech occurs, the merchant is the first one responsible.
Part Two: Determine Your Organization’s Scope
If your organization stores, processes and/or transmit card holder data on any of it’s computers, equipment or people, your organization is within scope. Just because card data is not processed on a computer does not mean it is not in scope. If a person writes down a card number, that process falls within PCI Compliance and requires training and policies in place to handle that data. Writing a card number on a piece of paper constitutes storage.
Some organizations would argue that they are not storing any data in a database, just sending the data forward to a payment gateway. However, if the data passes through a computer program, it is vulnerable. The reason is that error and debug log files are prone to saving that data into a flat file which is a target by hackers. If the software handles the card holder data, it’s in scope.
Many of the companies working towards compliancy focus first on narrowing the scope by isolating networks handling card holder data from other networks. They also limit the number of people allowed to handled card holder data.
Part Three: Separating Development Roles Between People
This part of developing a pci compliant environment isn’t mentioned much around the internet. It’s still important. It’s also why the single web developer will not be developing pci compliant ecommerce websites. The development requirements for networks and software require multiple people. The person who develops the software must be using a development network while the testers and the deployment developers must also use separate networks and machines. The key is to have different people double checking the work.
Part Four: Monitoring Continuancy
Once everything is done, people are of the mindset that they are compliant and do not have to do anything else. This is not the case. PCI Compliance is an ongoing process requiring monitoring and fixing of systems as soon as a problem occurs. It requires servers being patched on a timely basis, and software to be continually tested and upgraded as needed. The consequences are harsh. If a company is out of compliance at the time of a breech, fines, forensic costs and legal fees go into the 10s of thousands of dollars monthly. Compliance is an ongoing process not a once a year event.
I hope this brief overview helps everyone out. It’s a start towards understanding your responsibilities under PCI Compliance.
thanks !! very helpful post!