|
The goal of the Payment Card Industry Data Security Standard (PCI DSS) is to create a framework for good security practice around the handling of cardholder data. A PCI-compliant operating environment is one in which the cardholder data exists (i.e., it does NOT refer to the whole corporate network), and PCI DSS defines the requirements for how access to this data must be controlled, monitored, logged, and audited.
The objective of this white paper is to discuss those aspects of the PCI DSS standard that have an impact on a firewall deployment for a PCI DSS merchant. Tables are provided that describe each PCI DSS standard and how the WatchGuard Firebox family of appliances achieves these requirements. The steps required for a company to achieve PCI DSS compliance vary based on that company’s architecture; it is not possible to identify a single, “generic” network solution and Firebox configuration for achieving PCI DSS compliance.
Each company’s intentions were roughly similar: to create an additional level of protection for customers by ensuring that merchants meet minimum levels of security when they store, process, and transmit cardholder data. In 2004, the credit card companies came together and the Payment Card Industry Security Standards Council was formed, and by mid-December they had aligned their individual policies and created the Payment Card Industry Data Security Standard (PCI DSS). In September, 2006, the PCI standard was updated to version 1.1 to provide clarification and minor revisions to version 1.0.4
The goal of PCI DSS is to create a framework for good security practice around the handling of cardholder data. It does not define the security requirements for your whole IT infrastructure!
PCI DSS applies to every organization that processes credit or debit card information, including merchants and third-party service providers that store, process, or transmit credit/debit card data. Any company involved in processing, storing, or transmitting credit card numbers must be compliant with the standard or risk losing the ability to process credit card payments, as well as risk being fined for violations up to $100,000 per incident. It’s not enough to simply make a statement confirming compliance; merchants and financial institutions must have their compliance status validated by outside vendors who are a certified PCI DSS Qualified Security Assessor (QSA).
For PCI DSS, merchants are defined as any company that accepts credit or debit cards in exchange for goods or services. Merchants are categorized into one of four levels, based on the transaction volume. The higher the transaction volume a company has, the greater the impact of a security breach is likely to be, warranting tighter security requirements. As a result, the higher the credit card transaction volume a merchant organization has, the more stringent the requirements are for achieving PCI DSS compliance.
For Level 1 merchant organizations, compliance consists of completing a self-assessment questionnaire, while compliance for Level 2 & 3 merchants consists of passing a security network scan by an Approved Scanning Vendor (ASV), in addition to completing a self-assessment questionnaire. For Level 4 merchant organizations, certification of PCI DSS compliance can only be granted by a certified vendor known as a Qualified Security Assessor (QSA). For all merchant levels the validation process must be repeated annually.
ALL of the deadlines for meeting PCI DSS have passed, which means that ANY merchant that does not comply with the standard is at risk of being fined. Visa USA has announced that it will start fining banks that process merchant transactions (which will pass the costs on to the merchant) between $5,000 and $25,000 per month if their Level 1 or 2 merchants have not demonstrated compliance. In addition, the fines of $10,000 per month may already be assessed today for prohibited data storage by a Level 1 or Level 2 merchant.
Companies that are not yet compliant will be fined up to $500,000 by the card brand companies if compromised, not including any civil liabilities (which typically dwarf this amount). Any company still in business and needing to continue transaction after such a compromise will automatically “restart” at Level 1 status, making future achievement of compliance significantly more expensive.
|
