A look at auditing through the prism of the standard PCI DSS

The number of operations using plastic cards is rapidly growing: online payments, cashless payments at trade and service enterprises, bank account manipulations in online banking systems and other payment applications from service providers. Accordingly, the infrastructure in which information about cardholders and critical authentication data circulates is expanding. If this information or its part falls into the hands of intruders, financial losses are borne by both issuing banks and end-users.

With the growth of the scale of the system processing the data on payment card holders, the field for fraud is also increasing. In the context of the problem under consideration, the most common attacks directed at the user are still data theft using malicious software and information theft using fake web resources of the vendor company (phishing). Attacks aimed at the vendor itself, in most cases, are carried out by employees of the affected company (insider). And if in the first case, attackers can be fought at the level of informing the user and installing the appropriate client software, in the second case an appropriate organizational and technical approach is needed to protect the processes of the system in which the plastic card data items are stored, processed and transmitted.
')
The Payment Card Industry Security Standards Council ( Payment Card Industry Security Standards Council, PCI SSC ) [1], founded by leading international payment systems ( Visa, MasterCard, American Express, Discover, JCB ), has developed a set of documents that contain a security policy cardholder data is the data security standard of the payment card industry ( Payment Card Industry Data Security Standard, PCI DSS ).



The PCI DSS standard places quite stringent security requirements for the components of the infrastructure in which information on payment cards is transmitted, processed or stored. Checking the payment infrastructure for compliance with these requirements allows you to identify the causes that significantly reduce its level of security. Moreover, a well-designed audit procedure allows structuring the information received during the conformity assessment activities and drawing up recommendations for improving information security as a matter of priority. Thus, at the disposal of the company that ordered the compliance assessment service, the result is not only the most complete picture of the security infrastructure of the payment infrastructure in the form of a formal report containing comments on each requirement, but also an action plan, which is a set of basic steps that need to be performed for troubleshooting. Penetration tests, which are included in the list of mandatory measures regulated by the PCI DSS standard, can demonstrate the real level of protection of information resources of a company from the position of an attacker outside the perimeter under investigation and from the position of an internal employee of the company.
International payment systems ( MPS ) obliges all banks, trade and service enterprises ( TSP ), processing and other companies that conduct business in the field of payment cards to comply with the requirements of the PCI DSS standard. The absence of penalties from the IPU for non-compliance with the requirements of the standard is an adaptation measure for infrastructures and business processes of trade unions and service providers. From the above it follows the fact that you should not take the service of checking for compliance with the requirements of the PCI DSS standard solely as a formal procedure for obtaining a certificate of conformity.

A consulting company that provides a service to verify compliance with the requirements of the PCI DSS standard should have at its disposal a methodology for conducting an audit of this standard, which will allow assessing the state of security of the studied infrastructure. In the context of the PCI DSS requirements, the methodology will allow for a certain period of time to identify the main components of the system under study and structure the results obtained accordingly. Thus, the task of the consultant is to ensure the security of data on cardholders and, as a result, to assist in achieving compliance with the requirements of the PCI DSS standard of the client company.

Definitions

ASV (Approved Scanning Vendor) is a scan service provider that has official status from the Security Standards Council (PCI SSC).

On-site audit - an audit of the Customer’s infrastructure, conducted by an auditor directly on actually functioning components.

QSA (Qualified Security Assessor) is a company whose employees have individually passed trainings and exams conducted by the Security Standards Council (PCI SSC).

Auditor (consultant) - a person engaged in the audit of the PCI DSS standard (checking compliance with the requirements of the standard) and consulting activities related to the assessment of compliance with the requirements of the PCI DSS standard.

Customer - a legal entity interested in the implementation by the contractor of the service of checking for compliance with the requirements of the PCI DSS standard.

Acquirer is a member of the association of issuers of bank cards, which establishes and maintains interaction with enterprises of the trading and service network that accepts payment cards. [2]

PCI DSS standard

General Information about the PCI DSS standard

The security standard of the payment card industry is a set of 12 detailed requirements for ensuring the security of data on payment card holders that are transmitted, stored and processed in the information infrastructure of trade and service enterprises, service providers and other organizations. The adoption of appropriate measures to ensure compliance with the requirements of the standard implies an integrated approach to ensuring the information security of payment card data.

Composition [3] and description of official supporting documents of the standard PCI DSS:

1) Payment card industry data security standard. Security audit requirements and procedures. Version 2.0 (Payment Card Industry Data Security Standard. Requirements and Security Assessment Procedures v2.0).
The document describes in detail the 12 requirements of the standard, the scope of their applicability, basic information on preparing for the audit of compliance with the requirements of the standard and conducting the audit, as well as information on writing the reporting materials. The document was developed primarily for use by auditors conducting onsite audits for compliance with the requirements of the standard.

2) Glossary. Version 2.0 (Glossary v2.0).
List of terms and abbreviations used in the PCI DSS regulatory documentation. It is intended to understand the terms used in other supporting documents and therefore is recommended to the Customer for familiarization.

3) Orientation in PCI DSS. Version 2.0 (Navigating the PCI DSS. Version 2.0).
The document, which describes the 12 requirements of the standard with an explanation of their values ​​in order to improve the understanding of the requirements of the standard by the enterprises of the trade and service network, service providers and other financial institutions.

4) Prioritized approach to achieving PCI DSS compliance. Version 1.2 (Prioritized Approach for PCI DSS v1.2).
Work rules to reduce risks in the early stages of activities to achieve compliance with the standard. The prioritized approach consists of 6 stages, which, in order of priority, will help to distribute efforts to achieve compliance, reduce the risk of compromise of data on payment cards in the process of implementation. The approach does not replace the requirements of the standard PCI DSS v2.0.

5) Requirements for qualified security experts (PCI DSS Validation Requirements for Qualified Security Assessors).
The application, which contains the requirements imposed by the Council on payment card security standards for security experts who receive or already have the status of a qualified security expert (QSA).

6) Requirements for scanning service providers (PCI DSS Validation Requirements for Approved Scanning Vendors).
An application that contains requirements for payment card security standards by security experts who receive or already have a scanning service provider (ASV).

7) Sheets of self-esteem. Version 2.0 (PCI DSS Self-Assessment Questionnaire v2.0).
Self-assessment sheets are designed to organize self-assessment by trade and service enterprises and service providers of their compliance with the standard and are means of verifying the compliance of a financial organization with the PCI DSS standard in accordance with the document “Security Standard of Payment Card Industry. Security audit requirements and procedures. Version 2.0 "(" Payment Card Industry Data Security Standard. Requirements and Security Assessment Procedures v2.0 "). There are several variants of the self-assessment sheet, which are used otherwise.

8) Certification of compliance PCI DSS - trade organizations. Version 2.0 (PCI DSS Attestation of Compliance - Merchants v2.0).
A document template that is filled out by QSA or a trade organization (in case the trade organization performs an internal audit), and as a result is an official document on compliance of this organization with the PCI DSS standard.

9) PCI DSS Compliance Certification - Service Providers. Version 2.0 (PCI DSS Attestation of Compliance - Service Providers v2.0).
The document template that QSA and the service provider should fill out as an official document on compliance of this service provider with the PCI DSS standard.

Additional documentation:

1) Additional documents - ASV (Additional Documents - ASV).
Documentation Set for Scanning Service Providers (ASV): ASV Program Guide, ASV Requirements List, ASV Status Compliance Check.

2) Additional documents - QSA (Additional Documents - QSA).
Documentation for Qualified Safety Experts (QSA): QSA Agreement, QSA Requirements List.

3) Additional Documents - PFI (Additional Documents - PFI).
A set of documentation for forensic experts in the payment card industry (PFI): a guide to the PFI program, a list of PFI requirements, a check of compliance with the status of PFI. The status of forensic expert in the payment industry was introduced by the PCI SSC Council with the second version of the PCI DSS standard.

4) Requirement 11.3 Penetration Testing (Requirement 11.3).
A detailed description of PCI DSS requirement 11.3 for penetration testing.

5) Requirement 6.6 Web application protection (Requirement 6.6 Application Reviews and Web Application Firewalls Clarified).
Clarification of PCI DSS requirement 6.6 for securing web applications.

6) Guide to wireless networks. Version 1.2 (Wireless Guidelines v1.2)
The document contains suggestions and recommendations for the deployment and testing of wireless networks in the context of the requirements of the PCI DSS standard.

The developer of the standard does not pay attention to the procedure for structuring its documentation base. The consultant should determine the relationship of official documents in order to develop a methodological basis for the audit. Figure 1 contains a diagram reflecting the subordination of official documents of the standard PCI DSS.



Figure 1 - Subordination of official documents of the standard PCI DSS

Key data security requirements

The key requirements for organizing the protection of data on payment card holders are formulated in the document “Data Security Standard for Payment Card Industry. Security audit requirements and procedures. Version 2.0 ”(“ Payment Card Industry Data Security Standard. Requirements and Security Assessment Procedures v2.0 ”) and grouped in such a way as to simplify the security audit procedure. Below is a list of 12 requirements that are based on the PCI DSS standard and are grouped by type of audit procedure and a brief analysis of them. [4]

1) Requirement 1. “Install and maintain firewalls to protect cardholder data”.
2) Requirement 2. "Do not use passwords and other system parameters set by the manufacturer by default."

The first group is called “Building and maintaining a secure network” (requirements 1 and 2). From the first requirement it becomes clear how important the process of segmentation of the target infrastructure is and on the basis of what means this process is built. Firewall is the foundation of security. Proper design of the circulating traffic puts in order the entire infrastructure as a whole. However, in the latest version of the standard, some softening of the wording of the first requirement is done and the fact of filtering and blocking traffic is implied not only by means of a firewall.

In addition to blocking and filtering network traffic on the main components of the system under consideration (which, in the context of supporting documents, means a server in the network under study), the first requirement contains clause 1.4, which implies personal firewalls at workstations of company employees with proper configuration (the user cannot change work firewall) - this is the most difficult to control procedure by the administrator of the organization. The second requirement reminds network administrators of the obligatory change of the system parameters set by the manufacturer by default.

3) Requirement 3. “Ensure secure storage of cardholder data”.
4) Requirement 4. “Ensure the encryption of data about cardholders when they are transferred through public networks”.

Requirements group “Protection of cardholder data” (requirements 3 and 4) considers critical data protection methods (encryption, security key policies, etc.) and their area of ​​application, while other methods of information protection described in other requirements , positioned as a means of reducing the risk of compromise. This set of requirements describes the policy and life cycle of security keys. Due to the fact that storing data on plastic card holders in an encrypted form, it is possible to exclude the fact of their illegal use by an attacker (if in any way he overcame the other lines of defense), the items in this group are rather rigidly worded, which makes it unambiguously interpreted by the object and the subject of the audit. A useful technique for storing data about holders of plastic cards relating to personal data (information relating to a specific individual) is their “depersonalization” - a procedure for deleting or independently storing fragments of this data that themselves cannot uniquely identify their owner.

5) Requirement 5. "Use and regularly update anti-virus software."
6) Requirement 6. "Develop and maintain secure systems and applications."

The group that combines requirements 5 and 6 is called Vulnerability Management . Vulnerability management refers to the timely installation of current updates, including anti-virus software, the development, maintenance and use of secure applications, including web-based ones.

7) Requirement 7. “Restrict access to cardholder data in accordance with business need.”
8) Requirement 8. “Assign a unique identifier to each person who has access to the information infrastructure”.
9) Requirement 9. “Restrict physical access to cardholder data”.

Requirements 7, 8, 9 are grouped into the “Implementing Strict Access Control Measures” group and are of an organizational and technical nature to ensure the protection of information using both organizational security measures and physical access and monitoring mechanisms.

10) Requirement 10. “Monitor and track any access to network resources and cardholder data”.
11) Requirement 11. “Perform regular testing of security systems and processes”.

Noteworthy for the auditor is the group of requirements “Regular monitoring and network testing” (requirements 10, 11). Not every trade and service company can afford the content of the internal information security service and regularly carry out preventive penetration tests and monitoring security processes on their own. The need to implement these systematic procedures in the information security market creates a range of services in the form of internal and external penetration tests, scanning infrastructure for vulnerabilities from completely different suppliers. When assessing compliance with the requirements of the PCI DSS standard, the auditor should review the results of the latest preventive penetration test and ASV scan (subclauses 11.2 “Quarterly vulnerability scan” and 11.3 “Annual penetration tests”) and ensure that all identified vulnerabilities are eliminated. The fact that these results can be obtained as a result of penetration tests and vulnerability scanning services provided by a third organization and, as a result, the auditor’s conclusion is based on confidence in the data obtained in the course of this service by a third party.

12) Requirement 12. "Develop and maintain an information security policy."

Requirement 12 in scale of its implementation is one of the most difficult in terms of adaptation to the infrastructure of the Customer. Clause 12.1.1 requires the creation of such a policy that takes into account all the requirements of PCI DSS. Merchants and service providers that are certified must develop their own security policy or review the current one in accordance with the requirements of the standard.

Security programs Visa and MasterCard

The PCI DSS standard was developed by leading international payment systems and combines the requirements of Visa and MasterCard security programs.

Visa AIS program

The account security program (Visa Account Information Security, AIS) was developed by Visa for Europe (similar to the US Visa program - Cardholder Information Security Program) to help merchants and service providers improve their security measures for Visa cardholders transaction information.

The requirements of the Visa AIS program, which must be met by the organization, depend on the number of Visa credentials stored annually, processed and transmitted by it. In accordance with these data, the acquirer assigns a certain level to the merchant service provider. Below is a list of program requirements for trade and service enterprises and service providers.

Requirements for trade and service enterprises (merchants):

1) an annual audit of compliance with the requirements of PCI DSS (any TSP that processes more than 6 million Visa transactions per year or international TSPs that were assigned 1 Visa level in another region or country);

2) annual self-completion of the questionnaire (SAQ) (merchants processing from 1 million to 6 million Visa transactions per year across all payment channels or merchants, processing from 20,000 to 1 million Visa electronic trading transactions per year) ;

3) a quarterly network scan by a scan service provider (ASV);

4) the presence of a certificate of conformity (for all levels of TSP);

5) compliance check performed by an acquirer (merchants processing less than 20,000 Visa e-commerce transactions per year, or all other merchants processing up to 1 million transactions per year).

Visa requirements for service providers (Service Providers):

1) annual audit of compliance with the requirements of PCI DSS;

2) annual filling of SAQ (any service provider processing less than 300,000 Visa transactions per year);

3) quarterly network scanning in accordance with the PCI DSS standard;

4) the presence of a certificate of conformity.

MasterCard SDP program

MasterCard Site Data Protection (SDP), approved by MasterCard, is designed to provide secure storage for merchants and service providers of MasterCard account data in accordance with the PCI DSS standard. Below is a list of program requirements for trade and service enterprises and service providers.

MasterCard requirements for merchants:

a) Level 1 CTP (all CSPs, with an annual turnover of more than 6 million transactions annually on MasterCard and Maestro cards; all CSPs affected by a hack or attack that resulted in data leakage; any CSP that was assigned to level 1, at its discretion MasterCard) must fulfill the following requirements:

1) annual audit performed by QSA;
2) Quarterly network scan performed by ASV;
3) the mandatory implementation of conformity assessment procedures.

b) Level 2 CTPs (all CSPs with a turnover of more than 1 million, but less than or equal to 6 million transactions annually on MasterCard and Maestro cards; all CTPs corresponding to level 2 of another payment system) must fulfill the following requirements:

1) annual audit conducted by QSA;
2) annual filling of the SAQ questionnaire (until December 31, 2010);
3) quarterly network scan conducted by ASV;
4) implementation of the initial conformity assessment procedures (until December 31, 2010).

c) Level 3 MSP (all MSPs, the number of e-commerce transactions for MasterCard and Maestro exceeds 20,000 per year, but the total number of MasterCard and Maestro e-commerce transactions does not exceed 1 million; all merchants corresponding to level 3 of another payment system) must perform following requirements:

1) annual filling of the SAQ questionnaire;
2) a quarterly network scan conducted by ASV;
3) the mandatory implementation of conformity assessment procedures.

d) Level 4 CTP (all non-first level CSPs) must fulfill the following requirements:

1) annual filling of the SAQ questionnaire;
2) a quarterly network scan conducted by ASV;
3) consultation with the acquirer on the date of the compliance verification procedures.

MasterCard requirements for service providers (Service Providers):

a) Level 1 service providers (all third-party processing; all storage organizations that store, transmit, or process more than 300,000 MasterCard and Maestro transactions annually) must fulfill the following requirements:

1) annual audit conducted by QSA;
2) a quarterly network scan conducted by ASV.

b) Level 2 service providers (all data storage organizations that store, transmit, or process less than 300,000 MasterCard and Maestro transactions annually) must fulfill the following requirements:

1) annual filling of the SAQ questionnaire;
2) a quarterly network scan conducted by ASV.

Responsibility for failure to comply with the requirements of the IPU

The TSP level is determined directly by the acquirer to which the TSP is connected. In turn, the ICS twice a year requires the acquirers to provide reports on the compliance of TSP levels 1, 2 and 3 with the requirements of the PCI DSS standard. Thus, the acquirer serves as an intermediary between the trading and service enterprises and the IPU. In case of violation of the rules of the IPU by trade and service enterprises, Visa will apply appropriate measures to control risks, which can be expressed in imposing fines on acquirers [5].

Service providers that meet the Level 1 criteria pass the required compliance procedures and are included in the PCI DSS Compliant Service Providers list. Service providers of Level 2 are not included in the specified list and are controlled by the relevant acquirers (the control is the monitoring of the results of the self-questionnaire).



Figure 2 - The scheme of interaction of the IPU with financial organizations

IB audit according to the PCI DSS standard

Services within the PCI DSS standard

The following is a range of services that can be provided under the PCI DSS standard.

1) PCI DSS Compliance Audit

It is conducted by auditors with QSA (Qualified Security Assessor) status and includes the following general steps:
a) work on the preparation and planning of an audit for compliance with the PCI DSS standard;
b) carrying out activities according to the audit procedure;
c) analysis of the results obtained;
d) formation of the Audit Report for compliance with the PCI DSS standard.

2) Preparation of the Customer’s infrastructure for conducting an audit for compliance with the requirements of the PCI DSS standard
It is held to prepare the Customer’s infrastructure for certification activities for compliance with the PCI DSS standard and is a preliminary audit for compliance with the requirements of the standard.

3) Scanning vulnerabilities in accordance with the requirements of the standard PCI DSS
It is conducted by an ASV (Approved Scanning Vendor) company and, in accordance with requirement 11.3 of the PCI DSS standard, is a mandatory procedure, which is detailed in the official PCI DSS Security Scanning Procedures document.

4) Penetration test in accordance with the requirements of the PCI DSS standard
The penetration test is a mandatory procedure to achieve compliance with the standard, which is held at least once a year (requirement 11.3 of the PCI DSS standard) and includes:

a) external penetration test;
b) internal audit.

5) Advanced training courses in the field of information security of employees of the customer organization
It is held to raise awareness of the Customer’s employees and optionally includes:

a) trainings and seminars on various aspects of information security;
b) demonstration of thematic presentations;
d) webinars.

The PCI DSS standard combines the requirements of information security programs developed by Visa and MasterCard (Visa AIS, MasterCard SDP), which applies to all organizations working with specified payment systems.

The standard is required for the CEMEA region (Central and Eastern Europe, Middle East and Africa), where the PCI DSS standard is mandatory, so all merchants and service providers in this region must go through the standard compliance procedure. Thus, Russian financial institutions that cooperate with the above-mentioned MPS must necessarily undergo a procedure for assessing compliance with the requirements of the PCI DSS standard.

General approach to conducting a compliance audit

Among the general list of services that can be provided within the framework of the PCI DSS standard, obtaining an overall picture of the security of the Customer’s infrastructure and issuing a certificate of conformity to it can be provided by an audit service for compliance with its requirements, which is conducted by a company that has received QSA status.

Among the approaches to conducting IT audits there are two fundamentally different methods:

1) penetration tests;
2) technological audit of information security.

At the first stages of the compliance verification procedure, the auditor identifies an audit area - a set of components, the verification of which, in his opinion, is sufficient to obtain complete information about the degree of security of payment card data.

In the process of conducting an audit for compliance with the requirements of the PCI DSS standard, requirements are analyzed and appropriate measures are taken, described in the official document “Payment Card Industry Data Security Standard. Security audit requirements and procedures ”(“ Payment Card Industry Data Security Standard. Requirements and Security Assessment Procedures ”). The results of determining the scope of the audit and samples are confirmed by the auditor and recorded in the Report. Next, the auditor determines the total number of components (company offices, merchants, company actors and others) [6]. The obtained data is used as initial data at the stage of conformity assessment.

According to the developed methodology for assessing compliance, the auditor analyzes the information obtained at the stage of collecting initial data. The results are entered in the table of requirements. In case of non-compliance with the requirements, a list of compensating measures is compiled [6], if the unfulfilled requirements imply such measures. Upon completion of the conformity assessment procedure, the auditor fills out a Report (AOC, Certificate of Conformity).

The main stages of the audit

The following items are a set of stages of work, on the basis of which the auditing practices of leading Russian consulting companies are built.
1) Stage one. Analysis and systematization.
Baseline :
a) information about the components of the Customer’s system in which critical information about the cardholders is stored or processed;
b) the regulatory and administrative documentation of the Customer related to information security (information security policy, regulations, instructions and other documentation required in accordance with the requirements of PCI DSS);
c) the composition and characteristics of hardware and software transmission of information, network topology;
d) the nature of the internal and external communication of the information system, the principles of processing critical information in the information system.
Scope of work:
a) analysis of the source data;
b) the selection of the audit area based on the analysis of the source data.
Output:
a) topology (list and characteristics of information processing devices) of the audit area;
b) information on the scope of work for the conduct and determination of the necessary technical means of the audit.

2) Stage Two. Evaluation of compliance with the standard.
Baseline : The output obtained in the previous step.
Scope of work (determined by the features of the selected certification area of ​​the Customer):
a) analysis of the corporate network and verification of its security;
b) analysis of wireless networks and checking their security;
c) analysis of the configuration of firewalls;
d) analysis of access control lists;
e) analysis of password policy;
e) analysis of technologies for processing critical information;
g) checking the availability of network monitoring software and logging user actions;
h) checking software update policies (including security software).
Output:
a) a final conclusion on the compliance of the customer’s infrastructure with the requirements of the PCI DSS standard;
b) obtaining by the Customer a picture of the security of its infrastructure, existing vulnerabilities and errors in the design of the security policy.

3) Stage Three. Report generation.
Baseline : The output obtained in the previous step.
Scope of work: preparation of a report on the results of a certification audit.
Output: a report on the results of the certification audit for the compliance of the Customer’s infrastructure with the requirements of the PCI DSS standard.

Battlefield Segment

If you are optimistic about the scope of PCI DSS, then in essence the requirements apply to the system in which the card number is manipulated (PAN). However, the concept of "system" in practice is quite extensible and card numbers can be processed in a variety of components that define the system. Incidentally, in addition to cardholder data, which includes PAN and other information, there are also critical authentication data, the storage of which is unacceptable even in encrypted form.



Figure 3 - Table illustrating data elements and their corresponding measures

If you look at the table that illustrates the plastic card data elements and their corresponding protection measures, you will notice that elements such as CVV2 (Card Verification Value 2 - the authentication code of the card of the payment system Visa) and CVC2 (the same code of the payment system MasterCard) belong to the critical authentication data, and therefore can not be stored. However, in user practice, there are cases when a trade and service company in order to simplify the life of its customers does not require re-entering this code on its web resource. Such organizations have to choose between the PCI DSS certificate (and, as a result, the security of their business processes) and excessive pseudo-care for their users, because CVC2 and CVV2 are one of the key elements in making financial online transactions.

Optimizing the structure of the target system with the subsequent separation of the environment in which the cardholder data is manipulated allows us to narrow the scope of influence of PCI DSS, focus the auditor’s attention on a more specific object and, as a result, reduce the costs of compliance assessment. Only now the segmentation process requires an understanding and, possibly, restructuring of the business processes of the organization in question, which may be much more expensive than a non-optimized audit. In this case, the entire network falls under the scope of the audit. Here, each organization must decide for itself whether it should revise its current business practice or it is easier to undergo an “as is” test.

If in any way wireless networks are used as a medium for transmitting data about cardholders, then this fact is a consequence of incorrect segmentation or its absence. In this case, the PCI DSS requirements for wireless networks come into force, which is not good for the tested party (due to the “meticulousness” of the requirements) or for the testing party (wireless security specialists are “lying on the road”).

Another “parasite” in the segment under study are third-party organizations that provide services for processing, storing or transmitting data about the cardholders of the organization under study. Each of the third parties must submit to the auditor a PCI DSS certificate of compliance or, otherwise, undergo a conformity assessment procedure.

Draw conclusions:

1)competent segmentation can reduce the temporary and, in some cases, financial costs of conducting conformity assessment;
2) the presence of wireless networks in the system, as a means of processing data about the holders - the result of an incorrect segmentation procedure or its absence;
3) the involvement of third parties in the business process leads to additional time spent on auditing these parties by an auditor, who must clearly understand the role of the company and its service providers (third parties) in the payment industry.

List of used sources

1. Glossary (version 2.0) - PCI SSC, 2010 - 16 p.
2. PCI Security Standards Council - PCI SSC, 2010 - www.pcisecuritystandards.org .
3. PCI DSS Document Library - PCI SSC, 2010 - www.pcisecuritystandards.org/security_standards/documents.php?category=supporting
4. The document "Security Standard for Payment Card Industry Data. Requirements and security audit procedures ”(version 2.0) - PCI SSC, 2010 - 84 p.
5. PCI DSS Compliance Management - Informzaschita, 2010 - www.pcisecurity.ru .
6. Appendices B, C, F of the document “Payment Card Industry Data Security Standard. Requirements and security audit procedures ”(version 2.0) - PCI SSC, 2010 - 84 pages.

Some materials of this analytical work were published in the Hacker magazine (# 144) for January 2011.