May 19, 2013 at 20:47Payment Security. Part 1: PCI DSS Standard
Any industry in its development goes from freedom of creativity to some form of regulation carried out by the state or non-governmental organizations. The goal of regulation is usually to protect interests that are in conflict with profit-making, and for this reason are not a matter of concern to the business.
The payment industry is no exception. The interest of the business lies in the quickest and most comfortable way for customers to make payments in favor of trade and service enterprises and in the provision of related services to all market participants. Unfortunately, convenient one-click payment on the store’s website can lead to unpleasant consequences for the bank card holder if one of the participants in the payment chain — a store, bank or processing center — has not taken the necessary security measures when processing data. The safety of money on customer cards, although it is a matter of reputation for business, does not bear direct benefits, frankly,. So state regulators and international communities come into play, setting protection requirements.
Over the past few years, a number of regulatory documents on payment security have appeared, and judging by the activity of regulators, more will appear. Currently, the most relevant international standards in Russia are PCI DSS and PA-DSS , as well as Federal Law No. 161-ФЗ On the National Payment System and related by-laws in the field of security. It is with them that mainly Russian companies have to deal with, who have decided to link their business with cashless payments. Let's consider them in order.
The Payment Card Industry Data Security Standard (PCI DSS) has come to us from the West and historically has become the first popular set of payment security requirements. The standard was developed by the community of international payment systems Visa, MasterCard, American Express, JCB and Discover, which created a regulatory body for its development - the PCI SSC Council .
The object of application of this standard is each organization that stores, processes or transmits in its information systems the numbers of payment cards issued under the brand of any of the above international payment systems. That is, its requirements apply to ordinary and online stores, banks, payment gateways, processing centers and other related structures. All organizations, one way or another involved in the process of processing a payment transaction, according to the ideology of the regulator are divided into two categories - merchants and service providers. The first include everyone who sells goods or services and accepts bank cards as payment from customers — shops, restaurants, hotels, gas stations, and parking lots. The second - all those who provide the payment process - banks,
The PCI DSS standard contains a list of fairly specific technical and organizational requirements for ensuring information security of card data, divided into 12 sections. Requirements are organized according to the principle of a control card, according to which you can move from one requirement to another and put a check mark: "completed" or "failed." This approach has its drawbacks; information security professionals periodically scold the standard for inflexibility and the absence of a risk-based approach. However, to justify PCI DSS, it is worth saying that the standard is designed for mass implementation by trade and service enterprises, which rarely have information security specialists who can professionally manage risks in the style of ISO 27001 .
The requirements of the standard are focused on ensuring the security of information infrastructure at all levels. Protected rooms host correctly configured network devices and servers used by securely developed applications and databases. The relevance of protection is ensured by continuous monitoring and regular audit. Trained personnel administers information systems in accordance with established procedures. This is what information security looks like in practice from the point of view of international payment systems.
The organization must confirm compliance with the PCI DSS standard annually, while there are several confirmation methods. This is filling out a SAQ self-assessment sheet, performing an internal ISA audit, and passing an external QSA audit. Which way to choose? The answer to this question is not as obvious as it might seem at first glance. First you need to remember which of the two main types the organization belongs to - a trade and service company or a service provider.
If we are talking about a service provider, we need to remember the figure of 300,000. This is the boundary between the first and second level (Level 1 and Level2), set by both Visa and MasterCardfor service providers. If the annual number of transactions or the total number of card numbers stored in the database exceeds the limit of 300,000, then this is the first level, and you need to call an audit company with PCI QSA status for an external QSA audit. If the number of transactions is less, then just fill out a SAQ type D self-assessment sheet and provide the acquiring bank with a service. We will talk about the types of self-esteem sheets later.
If the organization is a trade and service company, then for it there are as many as four levels. But for simplicity, again, you need to remember only one figure - one million. If a store processes more than one million transactions per year, then it belongs to the first or second level and must undergo an external QSA or internal ISA audit annually. If the annual total number of transactions is less than one million, then this is the third or fourth level, for them it will be enough to fill out the SAQ self-assessment sheet, the type of which is selected based on the method of processing cards. The determining criterion here is the storage of card numbers in the store’s information systems. If the store stores card data, then it is SAQ D. If it only transfers through its systems and does not store, it is SAQ C. If it transfers to the service provider exclusively by telephone, it is SAQ B.
It must be remembered that the definitions of the levels of trade and service enterprises and service providers are given by international payment systems only for general orientation. The most important rule is that for the service provider or the store to comply with PCI DSS requirements, the responsibility is primarily the responsibility of its servicing acquirer bank, and only the acquirer bank has the right to unambiguously determine for the organization a way to confirm compliance.
(to be continued)
Table. PCI DSS Compliance Options
The payment industry is no exception. The interest of the business lies in the quickest and most comfortable way for customers to make payments in favor of trade and service enterprises and in the provision of related services to all market participants. Unfortunately, convenient one-click payment on the store’s website can lead to unpleasant consequences for the bank card holder if one of the participants in the payment chain — a store, bank or processing center — has not taken the necessary security measures when processing data. The safety of money on customer cards, although it is a matter of reputation for business, does not bear direct benefits, frankly,. So state regulators and international communities come into play, setting protection requirements.
Over the past few years, a number of regulatory documents on payment security have appeared, and judging by the activity of regulators, more will appear. Currently, the most relevant international standards in Russia are PCI DSS and PA-DSS , as well as Federal Law No. 161-ФЗ On the National Payment System and related by-laws in the field of security. It is with them that mainly Russian companies have to deal with, who have decided to link their business with cashless payments. Let's consider them in order.
The Payment Card Industry Data Security Standard (PCI DSS) has come to us from the West and historically has become the first popular set of payment security requirements. The standard was developed by the community of international payment systems Visa, MasterCard, American Express, JCB and Discover, which created a regulatory body for its development - the PCI SSC Council .
The object of application of this standard is each organization that stores, processes or transmits in its information systems the numbers of payment cards issued under the brand of any of the above international payment systems. That is, its requirements apply to ordinary and online stores, banks, payment gateways, processing centers and other related structures. All organizations, one way or another involved in the process of processing a payment transaction, according to the ideology of the regulator are divided into two categories - merchants and service providers. The first include everyone who sells goods or services and accepts bank cards as payment from customers — shops, restaurants, hotels, gas stations, and parking lots. The second - all those who provide the payment process - banks,
The PCI DSS standard contains a list of fairly specific technical and organizational requirements for ensuring information security of card data, divided into 12 sections. Requirements are organized according to the principle of a control card, according to which you can move from one requirement to another and put a check mark: "completed" or "failed." This approach has its drawbacks; information security professionals periodically scold the standard for inflexibility and the absence of a risk-based approach. However, to justify PCI DSS, it is worth saying that the standard is designed for mass implementation by trade and service enterprises, which rarely have information security specialists who can professionally manage risks in the style of ISO 27001 .
The requirements of the standard are focused on ensuring the security of information infrastructure at all levels. Protected rooms host correctly configured network devices and servers used by securely developed applications and databases. The relevance of protection is ensured by continuous monitoring and regular audit. Trained personnel administers information systems in accordance with established procedures. This is what information security looks like in practice from the point of view of international payment systems.
The organization must confirm compliance with the PCI DSS standard annually, while there are several confirmation methods. This is filling out a SAQ self-assessment sheet, performing an internal ISA audit, and passing an external QSA audit. Which way to choose? The answer to this question is not as obvious as it might seem at first glance. First you need to remember which of the two main types the organization belongs to - a trade and service company or a service provider.
If we are talking about a service provider, we need to remember the figure of 300,000. This is the boundary between the first and second level (Level 1 and Level2), set by both Visa and MasterCardfor service providers. If the annual number of transactions or the total number of card numbers stored in the database exceeds the limit of 300,000, then this is the first level, and you need to call an audit company with PCI QSA status for an external QSA audit. If the number of transactions is less, then just fill out a SAQ type D self-assessment sheet and provide the acquiring bank with a service. We will talk about the types of self-esteem sheets later.
If the organization is a trade and service company, then for it there are as many as four levels. But for simplicity, again, you need to remember only one figure - one million. If a store processes more than one million transactions per year, then it belongs to the first or second level and must undergo an external QSA or internal ISA audit annually. If the annual total number of transactions is less than one million, then this is the third or fourth level, for them it will be enough to fill out the SAQ self-assessment sheet, the type of which is selected based on the method of processing cards. The determining criterion here is the storage of card numbers in the store’s information systems. If the store stores card data, then it is SAQ D. If it only transfers through its systems and does not store, it is SAQ C. If it transfers to the service provider exclusively by telephone, it is SAQ B.
It must be remembered that the definitions of the levels of trade and service enterprises and service providers are given by international payment systems only for general orientation. The most important rule is that for the service provider or the store to comply with PCI DSS requirements, the responsibility is primarily the responsibility of its servicing acquirer bank, and only the acquirer bank has the right to unambiguously determine for the organization a way to confirm compliance.
(to be continued)
Table. PCI DSS Compliance Options
| Option | Applicability | Number of Verification Procedures |
| SAQ A | Trading and service enterprises that carry out transactions by electronic commerce, who have given all the functions of electronic processing, storage and transfer of card data to a service provider that has confirmed PCI DSS compliance. | thirteen |
| SAQ B | Trading and service enterprises using POS-terminals, using a telephone line, not transmitting card data via the Internet, and not having electronic card data storages. | 29th |
| SAQ C | Trading and service enterprises using POS-terminals or payment applications that transmit card data via the Internet and do not have electronic card data storages. | 40 |
| SAQ C-VT | Merchants using virtual web terminals via the Internet from a service provider that has confirmed PCI DSS compliance and do not have electronic card data stores. | 51 |
| SAQ D | All trade and service enterprises and all service providers, except for those who, according to the requirements of the payment system or acquiring bank, require an ISA or QSA audit. | 288 |
| ISA audit | All trade and service enterprises, except those for which, according to the requirements of the payment system or acquiring bank, require a QSA audit. | 288 |
| QSA audit | All trade and service enterprises and all service providers. | 288 |