User Tools

Site Tools


pci_compliance

This is an old revision of the document!


PCI Support Training

Windward Software Inc

What is the difference between PCI Compliance and PA-DSS Validation?

PA-DSS PCI-DSS
What it is? PA-DSS is the standard against which System Five has been tested, assessed, and validated. PCI-DSS Compliance is obtained by the merchant, and is an assessment of your actual server (or hosting) environment.
What it's for? PA-DSS Validation is intended to ensure that System Five will help you achieve and maintain PCI Compliance with respect to how System Five handles user accounts, passwords, encryption, and other payment data related information. “PCI DSS Compliance” is the responsibility of the merchant and their hosting provider, working together, using PCI compliant server architecture with proper hardware & software configurations and access control procedures.

Payment Card Industry (PCI) has developed security standards for handling card holder information in a published standard called the PCI Data Security Standard (DSS). The security requirements defined in the DSS apply to all members, merchants, and service providers that store, process or transmit card holder data.

The PCI DSS requirements apply to all system components within the payment application environment which is defined as any network device, host, or application included in, or connected to, a network segment where card holder data is stored, processed or transmitted

The 12 Requirements of the PCI DSS

Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Card holder Data
3. Protect Stored Data
4. Encrypt transmission of card holder data and sensitive information across public networks

Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign a unique Id to each person with computer access
9. Restrict physical access to card holder data

Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and card holder data
11. Regularly test security systems and processes

Maintain an Information Security Policy
12. Maintain a policy that addresses information security

Sensitive Credit card data requires special handling

Keep in mind the following guidelines when dealing with sensitive Credit Card data:
  • Collect card holder data only when needed to solve a specific problem.
  • Store such data only in specific, known locations with limited access.
  • Collect only the limited amount of data needed to solve a specific problem.
  • Encrypt card holder data while stored.
  • Securely delete such data immediately after use.
  • Never collect or store sensitive data (MSR track 2,PIN,CVV)

Sensitive Data: This data can not be stored

  • Track 2 – the magnetic track data from the credit card
  • CVV 1) or CVV2 2) – 3 or 4 digit number from the back of the card
  • PIN and PIN Block – the pin number or pin block from the PIN Pad
  • Cardholder data 3)

Cardholder data that requires encryption

System Five uses AES256 encryption

  • Credit Card PAN 4) (primary access number)
  • Expiry date
  • Card holder name
  • Also user passwords must be encrypted.

Set up Good Access Controls

The PCI DSS requires that access to all systems in the payment processing environment be protected through use of unique users and complex passwords. Unique user accounts indicate that every account used is associated with an individual user and/or process with no use of generic group accounts used by more than one user or process. Additionally any default accounts provided with operating systems, databases and/or devices should be removed/disabled/renamed as possible, or at least should have PCI DSS compliant complex passwords and should not be used. Examples of default administrator accounts include “administrator” (Windows systems), “sa” (SQL/MSDE), and “root” (UNIX/Linux).

Password Requirements

The PCI standard requires the following password complexity for compliance (often referred to as using “strong passwords”):

  • Administrator passwords must be at least 7 characters.
  • Administrator passwords must include both numeric and alphabetic characters
  • New administrator passwords can not be the same as the last 4 passwords.
PCI user account requirements beyond uniqueness and password complexity are listed below:
If an incorrect administrator password is provided incorrectly 6 times then the account should be locked out.
Account lock out duration should be at least 30 min. (or until an administrator resets it).

Administrator Sessions idle for more than 15 minutes should require re-entry of username and password to reactivate the session. | Note: |System Five can automatically log out all users after 5 minutes of inactivity. |

Do not use group, shared or generic user accounts
1)
CVV - Card Verification Value (Visa and Discover payment cards)
2)
CVV2 - Card Verification Value 2 (Visa payment cards)
3)
Cardholder Data: At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not stored) as part of a payment transaction.
4)
PAN: Acronym for “primary account number” and also referred to as “account number.” Unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account.
pci_compliance.1386263626.txt.gz · Last modified: 2013/12/05 09:13 (10 years ago) by cromo