PCI Frequently Asked Questions
What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. This standard (commonly known as ‘PCI’) represents a set of security standards that ensure the safe handling of payment card data. These standards, also adapted by Rackspace, were created by the five major card companies (American Express, JCB, MasterCard and Visa), this standard comprises 12 distinct requirements that are designed to:
- Build and maintain a secure network
- Protect (cardholder) data in transit or at rest
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test our cloud infrastructure
- Maintain an information/cloud security policy.
Can Rackspace Cloud services be PCI DSS compliant?
No. Our cloud hosting service is considered a shared environment, which prevents it from being PCI DSS compliant. Cloud Servers or Cloud Sites may only be used as part of a backend system that does not store or interact with cardholder data. One of the requirements for PCI DSS compliance is that all cardholder payment and identifying information must be processed and stored on dedicated servers or be handled by a PCI DSS compliant third party service.
What are the PCI DSS requirements?
PCI DSS comprises of 12 requirements. These define the need to:
- Install and maintain a firewall configuration to protect cardholder data
- Avoid vendor-supplied defaults of system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks, and internal infrastructure
- Use and regularly update antivirus software or programs - as applicable in the cloud
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with system access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes within the cloud
- Maintain a policy that addresses information security for employees and contractors assigned to Product or are working on applications and systems within the cloud
What are payment cards?
For PCI DSS purposes, “payment cards” encompasses all credit/debit/cash cards that are issued on any American Express, Discover, JCB, MasterCard or Visa branding.
What is payment card data?
Payment card data is information pertaining to credit/debit cards and their owner. This data is classified in 2 categories: Card Holder Data and Sensitive Authentication Data. PCI DSS imposes some storage restrictions on data elements making part of these categories.
What is cardholder data?
Cardholder data refers to all information from a credit card or debit card that is used in a transaction. Commonly used elements of cardholder data include the Primary Account Number (PAN), Cardholder Name and Expiration Date displayed on the front of the card. All these elements, and more, are digitally stored on the magnetic stripe at the back of the card.
What is sensitive authentication data?
Sensitive Authentication Data is security related information used to authenticate cardholders and authorize card transactions. Sensitive Authentication Data elements include magnetic stripe data and the Card Validation Code - the three or four digit number security code found either on the front or on the back of a card (a.k.a. CVV, CVV2)
Which elements of the cardholder data can be stored?
The PCI DSS sets out which data elements can be stored and how they should be protected. We can store the PAN, Cardholder Name, and Expiration Date cardholder data elements as long as they are protected. Protection should take the form of encryption using a strong technique such as AES; alternatively, the PAN must be hashed or truncated. This protection is important since the PAN together with one of the other elements is the minimum data required in certain instances for effecting a payment.
Which elements of the sensitive authentication data can be stored?
None. You cannot store Sensitive Authentication Data elements at all, even if encrypted, subsequent to the authorization of a transaction.
Who must comply with the PCI DSS?
Any individual, team, department, or organization that stores, processes, and/or transmits cardholder data must be PCI DSS compliant—regardless of the size of the entity or volume of transactions made. However PCI DSS requirements do not only apply to electronic data. We are duty bound to dispose of printed material which contains payment card details and credit cardholder data in an appropriate way. In large environments where waste management is outsourced to subcontractors such as paper-shred companies, the entities that request such services must make sure that their ‘service providers’ are PCI DSS complaint as well.
Is there a distinction between merchant types?
All merchants that acquire payment card transactions are categorized in 4 distinct levels, as determined by their number of annual transactions:
- Level 1: Merchants with more than six million card transactions and merchants which cardholder data has been compromised.
- Level 2: Merchants with card transactions between one million and six million
- Level 3: Merchants with card transaction between 20,000 and one million
- Level 4: All other merchants
These levels determine the validation processes that a merchant must undertake in order to achieve and maintain compliance.
Is there a distinction between the different types of service providers?
All service providers that process credit card transactions are categorized in the following 3 levels:
- Level 1: All payment processors and payment gateways
- Level 2: All service providers not in level 1 but with more that 1 million credit card accounts or transactions.
- Level 3: Service providers not in Level 1, with fewer than one million annual credit card accounts or transactions.
These levels determine the validation processes that a service provider must undertake in order to achieve and maintain compliance.
What is a QSA?
Qualified security assessors (QSA) are audit firms that provide professional security auditing services to corporations that need to demonstrate the fruits of their PCI DSS compliance efforts. For list of QSAs, visit: https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf
What is an ASV?
An approved scan vendor (ASV) is a vendor that provides network vulnerability and security scanning services to businesses that want to achieve PCI DSS compliance. For a list of ASVs, visit: https://www.pcisecuritystandards.org/pdfs/asv_report.html
What is a self-assessment questionnaire?
A self-assessment questionnaire is a reporting requirement of PCI DSS compliance for merchants and service providers. It is completed in-house, without the need to contract 3rd parties. You must fill in this security-related questionnaire that queries the current and past state of network security.
What happens if I am not compliant?
Non-compliance with PCI DSS has its consequences. You could face fines up to $500,000 and expensive litigation costs. From an operational point of view, level 2, 3, or 4 merchants and service providers that have network security breaches, can have their level escalated to level 1. This has an adverse impact in terms of costs since compliance in the level 1 tier is more demanding. In addition, non-compliance impacts brand reputation and exposes corporations to extensive negative publicity that undermines consumer confidence.
What are the benefits of implementing PCI DSS?
PCI DSS is a binding collection of rules that promote information technology security processes. PCI DSS aims to reduce financial fraud through heightened network security capabilities of whoever processes payment card information. There are many benefits of PCI DSS compliance. The most fundamental ones for an organization are:
- Protection of customers’ personal data
- Increased customer confidence through a higher level of data security
- Increased protection against financial losses and remediation costs that arise from security breaches
- Maintain customer trust, and safeguard reputation
- Benchmark and assess the security mechanisms of systems that store, process and/or transmit payment cardholder data
How long does it take to move back to my original level after a breach that moved me to level 1?
Moving back to level 1 takes two years, with the first year allocated to fix any procedural errors that enabled the security breach. The second year is a buffering period to ensure that no new security breaches have occurred.
Are there any online sources I can refer to?
- PCI security standards council : https://www.pcisecuritystandards.org
- Supporting documents: https://www.pcisecuritystandards.org/tech/supporting_documents.htm
- PCI DSS FAQS and myths: http://www.pcicomplianceguide.org/pcifaqs.php
- PCI DSS queries : https://www.pcisecuritystandards.org/faq/
- Comprehensive list of PCI DSS resources: http://pcianswers.com/resources/
- GFI EventsManager and GFI LANguard checklists: http://www.gfi.com/security/pci.htm
© 2014 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License
See license specifics and DISCLAIMER