banner
Home » Knowledge » Content
Product Categories

PCI DSS

- Apr 09, 2018 -

PCI DSS

The

The full name Payment Card Industry (PCI) Data Security Standard, third-party payment industry (Payment Card Industry PCI DSS) data security standards, is a founding member of the PCI Security Standards Committee (visa, mastercard, American Express, Discover Financial Services, JCB, etc.) To formulate and apply internationally consistent data security measures, abbreviated PCI DSS.

PCI DSS makes standard requirements for all security aspects involving credit card information agencies, including security management, policies, processes, network architecture, and a list of software design requirements to fully protect transaction security. PCI DSS applies to all entities involved in payment card processing, including merchants, processors, buyers, distributors and service providers, and all other entities that store, process, or transmit cardholder data. PCI DSS includes a set of basic requirements for protecting cardholder information and may add additional controls to further reduce risk

Chinese name

Third Party Payment Industry (Payment Card Industry PCI DSS) Data Security Standards

Foreign name

Payment Card Industry Data Security Standard

Brief name

PCI DSS

Belongs to

Third Party Payment Industry Data Security Standards

Imagery

Security aspects of credit card information agencies

Introduction

The PCI DSS information security standard has 6 goals and 12 major requirements. The entire PCI security standard is basically carried out around these projects.

The optional requirements for PCI DSS 3.0 on June 30, 2015 will become mandatory.

PCI DSS Compliance Assessment

The main focus of the Payment Card Industry Data Security Standard (PCI DSS) is the protection of cardholder data. PCI DSS provides the control needed for cardholder data stored, processed or transmitted on any platform. However, many businesses currently do not properly evaluate many mainframes for PCI DSS compliance.

Many QSA, merchants, and service providers are now taking a confusing approach to the mainframe PCI DSS assessment. They either think that mainframes are out of range—because they are always safe, or if they cannot be excluded from the assessment because it is considered a glory file server, they will decide that all application environments are now in scope. [2] 

Safety Summary

Establish and maintain a secure network

1. Install firewall settings to protect cardholder information.

2. For the system password and other security parameters, the vendor-supplied default value (default password) cannot be used.

Protect cardholder information

3. Protect stored cardholder information.

4. Encrypt cardholder data transmitted through open public networks.

Maintaining vulnerability management programs

5. Use and regularly update anti-virus software or programs.

6. Develop and maintain security systems and applications.

Implement strict storage control measures

7. Limit access to cardholder data only to those who need business.

8. Specify a unique ID for everyone with computer access rights.

9. Limit the actual storage of cardholder data.

Monitor and test the network regularly

10. Track and monitor all access to network resources and cardholder data.

11. Regularly test safety systems and procedures.

Maintain Information Security Policy

12. Maintain policies that meet the information security needs of all personnel.


PCI DSS important aspects

The PCI DSS document discusses requirements for application environment authentication testing—a frequently overlooked but very important component of penetration testing.

The PCI DSS document also describes what is considered a "significant change" to the system - so that subsequent penetration testing can be performed after code or related updates are made to any system in the cardholder data environment.

The PCI DSS document mentions the credentials of the security professionals doing the job and the importance of past experience - as in other areas, more experience is often better, of course, vulnerability scanners, network analyzers, and vulnerabilities are also needed. With tools such as toolkits, they should also know how to use them effectively.

· In addition, specific rules for penetration testing are often overlooked, which may create problems during or after the penetration test, such as how deep the exploit needs to be and how to handle sensitive data found during testing. I am very happy that this document addresses the security controls that may prevent testing (WAF and IPSes, etc.), many people think that they will not find loopholes or exploits, and everything is fine. For whitelisting or disabling these proactive protection measures, the penetration testing guide clearly states that it can “help to ensure that the service itself is properly configured and controls exploitability when the proactive protection system fails or is defeated in some way or is bypassed by an attacker. risks of."

· The PCI DSS documentation also provides recommendations for social engineering, including phishing tests, to test whether the cardholder data environment can be used from this perspective.

· The company should also retain evidence of test details (including specific survey results) to ensure that it is available upon request. The

PCI DSS improves virtual environment security

In the process of deploying VMware virtualization environment, you can consider using PCI DSS to strengthen the data security of the virtual machine.

As more and more personal information is stored in the PCI DSS network, unauthorized PCI DSS users are increasingly trying to access this data. Suspicious behaviors or fraudulent spending associated with the loss of personal PCI DSS information can lead to the forced cancellation of a user’s credit card, which is a matter of great frustration. Not only that, for users who experience personal PCI DSS information leakage, there is usually a feeling of privacy violation.

The question that arises is: How serious is the PCI DSS situation? The Bureau of Justice Statistics has published some PCI DSS data related to the disclosure of personal information. The current situation is worrying. The latest available PCI DSS data is 2012, and 7% of 16-year-olds and over have encountered at least one personal theft of PCI DSS information during the year. The consequences of this PCI DSS situation were very serious, resulting in approximately $24.7 billion in losses. In contrast, statistics from the National Crime Victims PCI DSS survey report show that other aspects of property crimes caused losses of US$14 billion. This series of data shows that there are indeed loopholes in the security of systems that store private information on PCI DSS and have not been resolved.

After recognizing the importance of protecting the security of PCI DSS personal and financial data (especially credit and debt accounts), the Payment Card Industry Security Standards Committee established the Data Security Standard (DSS, Data Security Standard). The latest version is 3.1. The PCI DSS Security Standards Council is an open forum that is responsible for the continued development of PCI DSS standards. Its initial founders include American Express, Discover Financial Services, JCB International, MasterCard, and Visa. Although you may have never heard of PCI DSS before, the principles and guidelines contained in it will affect almost all PCI DSS users who consume cards. The committee made requests to merchants, vendors, and security consulting companies to prevent the occurrence of PCI DSS personal information disclosure and credit card fraud.

For payment companies that have reached the PCI DSS standard, the greatest benefit of PCI DSS is the ability to provide their customers with the best PCI DSS security for their most valuable asset. A good PCI DSS reputation can help the company win a steady stream of business opportunities. Once the poor PCI DSS reputation is formed, it is difficult to change.

PCI DSS is designed to help payment agencies implement best practices for sensitive data security, especially PCI DSS for data types unique to the industry. However, if we just ignore this standard simply because the PCI DSS organization or company in which we do not need to deal with PCI DSS payment data or related affairs, it is undoubtedly a kind of negligence. In fact, the various criteria included in PCI DSS have been adjusted for virtualization technology and can be of great help to any company that wants to protect sensitive data in PCI DSS.

Using PCI DSS and other industry-specific standards for compliance audits can largely ensure that private information is under the protection of the best PCI DSS security practices. The secure PCI DSS information environment is critical to businesses, customers, and employees.

PCI DSS eliminates weak links


Fortunately, we can use PCI DSS as one of the guidelines for the use of virtualization technology in the context of PCI DSS business. For example, PCI DSS Section 2.2.1 states that a virtual system component or device can only perform one major function.

The PCI DSS guidelines explain in detail the risks that a system that contains many major features may be exposed. The minimum security level of any PCI DSS feature may cause other functions to be attacked. We can compare the PCI DSS situation to the strength of a necklace depending on the weakest link, which can help us understand the practical role of PCI DSS. For example, running a web server and critical database services simultaneously in a PCI DSS virtual machine is undoubtedly asking for trouble. The best way is to follow the PCI DSS rules and place these PCI DSS functions in different servers, and then customize the security level for different functions on a specific PCI DSS server. In addition, the network connection between the PCI DSS servers must prohibit one server from migrating low security features to another PCI DSS server. As you can see, deploying a single PCI DSS server with a single feature requirement means that the server, other related devices, and network connections need to be planned overall.

These guidelines for PCI DSS have been carefully considered prior to release and can be used in any industry that needs to strengthen the security of PCI DSS systems. PCI DSS virtualization technology improves the efficiency of hardware resource usage, eliminating the need to allocate separate hardware PCI DSS servers for all functions, which reduces the difficulty of PCI DSS guidelines. Adhering to the PCI DSS guidelines during the planning of server resources can enhance system security. After implementing the main functions of the PCI DSS system, it can also improve the security control flexibility.

PCI DSS security is an ever-changing concept that requires constant attention to PCI DSS. PCI DSS provides us with a good idea. An industry-wide security standard PCI DSS can be applied to IT departments in specific industries, customers, and other fields. Following the PCI DSS standard to achieve separation of main functions on the server is a good idea that all companies should adopt.