PCI Compliance (PCI DSS) – Securing Both Merchant and Customer Data

This whitepaper details the Payment Card Industry – PCI compliance standard, and the security threats which brought about the need to standardize the protection of customer credit card data. The internet is now a trading universe where thousands of credit and debit card transactions are carried out every second. Worldwide e-commerce sales reached 1 trillion for the first time in 2012 and we can expect to see these continue to rise. In a 2014 marketing survey, 25% of those surveyed had made their most recent purchase online, double the number recorded in 2013.

Sensitive data is transmitted and stored online, which when stolen by cyber criminals, results in immense financial repercussions to both traders and consumers. PCI Compliance is a structured security checklist which aims to secure financial data and helps to distinguish the secure and reliable businesses from the risky ones.

1. What is PCI Compliance?

In recent years, highly publicised security breaches have led to the theft of millions of dollars and multiple sets of sensitive customer information such as credit card details and social security numbers. In 2004, the Payment Card Industry Data Security Standard (PCI DSS) was created in a joint effort by the major credit card companies American Express, Visa, MasterCard and Discover, with each one of the credit card companies having its separate standard detail. On the 30th June of 2005, the PCI DSS regulations were standardized and implemented and have since been maintained, providing a benchmark of data security measures.

Each credit card company created its own security policy as follows:

  • American Express: Data Security Operating Policy (DSOP)
  • Visa: Cardholder Information Security Program (CISP)
  • Discover: Discover Information Security and Compliance (DISC)
  • MasterCard: MasterCard Site Data Protection (SDP)

The PCI Compliance regulation is designed to be implemented by organizations which process transactions made through these credit or debit card types, and severe penalties may be imposed on businesses which suffer a security breach as a result of lack of compliance to the PCI standard. Visa, as an example, fines merchants, even those which have been certified as PCI compliant, between 50 and 90 USD per set of financial data stolen. Also, businesses which do not enforce the compliance correctly, or choose not to comply, may be denied the right to process card transactions altogether. Since the compliance regulations are subject to constant development and improvement, participating businesses are required to closely observe the changes in any requirements of the card systems which they process.

In September of 2006, the five major card brands (American Express, Discover, JCB, MasterCard and Visa) joined to create the PCI Security Standards Council (PCI SSC), which is an independent body established to monitor and develop the PCI standard. The announcement of the creation of this council also brought forward version 1.1 of the standard, which has now reached version 3.0. While the council manages the detailing and implementation of the regulatory standard, it is the card companies which dictate their separate requirement specifications, and the way they are implemented according to the size of the organization.

Each card brand is to administer its own requirements structure and impose its own penalties on businesses which fail to comply.

2. The Compliance Regulations

The PCI compliance specification describes a set of requirements which participating businesses must observe to ensure that correct measures are taken to secure all data, both internal and externally exposed.

Participating financial establishments must adhere to the following 6 categories of requirements

Build and Maintain a Secure Network and Systems

  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for systems passwords and other security parameters

Protect Cardholder Data

  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  • Protect all systems against malware and regularly update anti-virus software or programs
  • Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  • Restrict access to cardholder data by business need-to-know
  • Identify and authenticate access to system components
  • Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes

Maintain an Information Security Policy

  • Maintain a policy that addresses information security for all personnel

These 6 actions must be diligently carried out in the participating business system implementations and regular testing must be performed to ensure that the 12 standard requirements are all being met at any given moment. The ease with which merchants can achieve PCI compliance depends on the annual transaction quantities processed by the company, a stipulation defined by the individual card vendors. For example, VISA categorises merchants who require PCI compliance into 4 separate groups as follows:

Level 1:

  • Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.

Level 2:

  • Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year

Level 3:

  • Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.

Level 4:

  • Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year

*Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

*The above are taken from the VISA CISP documentation. It is important that merchants check the documentation relevant to their business, as there are small differences between the vendors.

3. Protecting the Consumer

Consumers who use credit/debit cards online to purchase products or services risk suffering financial losses when businesses process their transactions through systems which are not secure. The number of cases involving the theft of credit card details from the databases of exploited web applications is constantly on the rise. Most often, these details get sold on the black market for illicit transactions. The FBI were recently quoted as saying that 519 million financial records in the United States had been stolen in a 12 month period between 2013-2014.

The issue which gets less coverage than financial loss is the problem of identity theft. Identity theft is the act of using someone else’s personal details like name, address, social security number, or purchase history, without authorization, for fraudulent reasons. Some sources claim that as many as 15 million United States residents have their identities used fraudulently each year with financial losses totalling upwards of $50 billion. These victims usually have no idea about their details being maliciously used until debt collectors show up at their door, or until shocking bills are found in the mail.

The last year has been dubbed by some as ‘The Year of The Data Breach’ with the first half of 2014 showing a 21% rise in data security breaches over the same period last year. With such data breaches, and some of the website vulnerabilities which lead to them being under increasing media scrutiny, the pressure on traders to keep customer data safe is at an all time high. The PCI compliance standard aims to prevent financial data and identity theft from its source by ensuring the systems which process and store customer details and transaction information are secure. Web attacks and technological flaws in network and security will continue, which is why the PCI compliance standard is an ongoing process which must be maintained at all stages of the online business operation – from designing a system to implementing and maintaining it.

4. Compliance Certification

The PCI compliance is implemented in both the technological and administrative side of the business process. A solid guideline must be implemented when it comes to company employees handling customer data and processing transactions. Many systems are actually compromised from the inside, and on several occasions members of staff have been convicted of theft, or actions which led to data being illegally acquired. Businesses must also keep track of any changes made to the technical or business process, to ensure that each change is followed by the relevant security counter-measure designed to be successful in a security audit. Technical failures must be considered, and timely backups of all sensitive data must be performed. These backups must be encrypted and stored in specific areas which can only be accessed by authorized administrators or management.

5. Security Assessment Tools

The PCI Compliance specification is more than just a set of rules to which organizations must abide. It is also a guideline which provides a method to trace and secure all the potential security flaws which might be exploited. Detecting these potential exploits is made easier by using tools such as web vulnerability scanners and network scanners. Requirement 6.5 details a number of the most common vulnerabilities which must be addressed ‘Address common coding vulnerabilities in software-development processes’ while requirement 6.6 requires traders to ‘address new threats and vulnerabilities on an ongoing basis’. To support this, the Acunetix set of reports contain a report set up to present any risks of non-compliance, structured as per the PCI specification. Where a vulnerability is found, all requirements which would be breached as a result are listed in the report. See below screenshot.

PCI Compliance

A web vulnerability scanner is a software product which performs an in-depth assessment of a web application or web service. It detects all the security flaws which may be exploited by a hacker whose intention is to gain access to web servers, internal networks, and back-end databases. The web application is often overlooked when organizations allocate funds to purchasing high-spec intrusion detection systems, and network security systems. However a common mistake is to forget that if a website is made publicly available then it also provides an entry point which is open 24 hours a day. Web vulnerability scanners assist developers and security professionals such as penetration testers in identifying these possible entry points and securing the web application to prevent this from happening.

6. Updates made in 2016

In 2016, a number of changes and additions have been made with the introduction of version 3.2. The most noteworthy include the requirement to upgrade from SSL and early TLS encryption protocols, It’s been emphasised that neither of these may be used in new builds and that they ought to be phased out as soon as possible for security reasons. Further to this, the requirements now include the mandatory documenting of cryptographic architecture and also for the updating of all documentation whenever a significant change or addition to the system is made. Any test data must also be removed prior to an application entering production and proper change control processes must be implemented. The final significant change is the clarification of the authentication processes required of anyone using the cardholder data environment (i.e anywhere cardholder data can be accessed). They have updated this requirement to specify multi-factor authentication, meaning a minimum of two authentication methods are required. The full summary of all these changes can be found in our dedicated article on PCI DSS 3.2.

7. Summary and Conclusions

The objective for a business which operates online is to be able to provide the customer with the purchased goods or services in a reduced time-frame, and with greater efficiency. The internet is slowly but surely turning the idea of physical money into an abstract concept, which in theory sounds extremely practical, however the digitalization of funds and payment systems also exposes greater threats. Many people see it as a way of eliminating the need to guard their physical cash, however it is this same digitalization which puts people’s money and identities at greater risk.

Information about the risks associated with exchanging and transferring funds online can be researched and found in various publications and websites, however this information is not designed to intimidate but it is intended to create awareness among consumers and businesses. PCI compliant merchants can benefit from a standardized approach to secure their online systems, and also to prove their reliability to consumers.

Penetration testers, Chief Information Security Officers and auditors can all benefit from the use of Acunetix to identify vulnerabilities in web applications, and also guide them to resolving any potential exploits. It can also be used for network scans, checking perimeter servers for vulnerabilities. Acunetix can also be used to run regular scans between audits, quickly identifying any new vulnerabilities, allowing time to address any vulnerabilities identified, and saving the PCI audit costs.

Full PCI Compliance extends the capabilities of Acunetix WVS and OVS scanners to certification of secured web applications according to the specifications detailed by the Payment Card Industry security guideline.

References

The full PCI Compliance requirements v3.0 and other helpful documents can be found here on the PCI website https://www.pcisecuritystandards.org/security_standards/documents.php

Below are the links to the various card vendor documentation categorising merchant levels:

http://www.mastercard.com/us/company/en/whatwedo/determine_merchant.html
http://www.visaeurope.com/receiving-payments/security/merchants
https://www209.americanexpress.com/merchant/services/en_US/data-security
http://www.discovernetwork.com/merchants/data-security/determining-organizations.html