Payment Card Industry Data Security Standard

From The Secure Arc Wiki

Jump to: navigation, search

The following high-level outline gives a good idea of what the PCI standard covers. Each requirement of the standard is broken down further into more specific sub-requirements that can be mapped back to both the Security Principles that drive them and the Design Patterns that satisfy them.


Requirements Outline

  • Build and Maintain a Secure Network
    • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
    • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect Cardholder Data
    • Requirement 3: Protect stored cardholder data
    • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Maintain a Vulnerability Management Program
    • Requirement 5: Use and regularly update anti-virus software
    • Requirement 6: Develop and maintain secure systems and applications
  • Implement Strong Access Control Measures
    • Requirement 7: Restrict access to cardholder data by business need-to-know
    • Requirement 8: Assign a unique ID to each person with computer access
    • Requirement 9: Restrict physical access to cardholder data
  • Regularly Monitor and Test Networks
    • Requirement 10: Track and monitor all access to network resources and cardholder data
    • Requirement 11: Regularly test security systems and processes
  • Maintain an Information Security Policy
    • Requirement 12: Maintain a policy that addresses information security

Information Assets

The PCI standard lists a number of Information Assets and dictates what transmission, storage and protection is required for each of them. These will map directly into the Regulatory Requirements portion of the Information Asset Classification.

Note: If we can get permission to reproduce that table, we'll provide that classification here.

An example of non-compliance is the TJX data breach, where 96 million customer records were stolen. TJX Failed to Notice Thieves Moving 80-GBytes of Data on its Network. The cost of this breach to TJX, is said to exceed US $256 Million.


Here are Visa’s new merchant level definitions:

  • Level 1 includes any merchant, regardless of acceptance channel, processing over 6 million Visa transactions per year; any merchant who has suffered a hack or an attack that resulted in an account data compromise; any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system; and any merchant identified by any other payment card brand as Level 1.
  • Level 2 includes any merchant, regardless of acceptance channel, processing 1 million to 6 million Visa transactions per year. (This new definition expands the number of Level 2 merchants to include former Level 4 merchants.)
  • Level 3 includes any merchant processing 20,000 to 1 million Visa e-commerce transactions per year. (This new definition expands Level 3 to include former Level 2 merchants who process fewer than 1 million e-commerce transactions per year.)
  • Level 4 includes any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants, regardless of acceptance channel, processing up to 1 million Visa transactions per year. (This new definition reduces the number of Level 4 merchants.)

Higher-level merchants can be fined for non-compliance even if there has been no actual breach. The card associations fine the merchant bank, which in turn passes the fine on to the merchant.

The consequences of non-compliance can be severe. Visa fined TJ Maxx $880,000 (£447,000) for its well-publicised breach in Jan 2007. Penalties for Level 1 Merchants non compliance is $25,000 per month. There are no standardised penalties across all the payment brands, and the PCI Council says it has no plans to create any.

Licensing and Documentation

The license associated with the PCI standard does not permit public distribution or reproduction, however it can be downloaded directly for personal or internal use directly from the PCI Security Standards website.

While the high-level outline is also freely available on the PCI Security Standards site, for licensing reasons we have taken the outline provided above from Wikipedia instead.

Version 1.2 of the PCI standard was released in October 2008. From January 1st 2009, version 1.2 is in effect. A summary of changes between v1.1 and v1.2 can be found in the following document.


Personal tools