Payment security. Part 1: PCI DSS Standard
Any industry in its development goes the way from the freedom of creativity to some form of regulation, carried out by the state or non-governmental organizations. The purpose of regulation is usually to protect the interests that are in conflict with the extraction of profits, and for this reason are not subject to concern from the business.
The payment industry is no exception. The business interest is the fastest and most comfortable payment by buyers in favor of trade and service enterprises and offering all market participants ancillary services. Unfortunately, a convenient one-click payment on the store's website can have unpleasant consequences for a bank card holder if someone from the participants in the payment chain - a store, bank or processing center did not take the necessary security measures when processing data. Security of money on customer cards, although it is a matter of reputation for a business, but, frankly, it does not bring direct benefits. This is where government regulators and international communities set the requirements for protection. If earlier the term “non-cash payment” was mainly associated only with banks and receipts, then the popularization of credit cards, retail non-cash payments and electronic money involved a small business mainly represented by e-commerce enterprises and payment agents in the payment industry.
Over the past few years, a whole series of regulatory documents on payment security has appeared, and judging by the activity of regulators, there will be more. Currently in Russia the most relevant are the international standards PCI DSS and PA-DSS , as well as the Federal Law No. 161- “On the National Payment System” and the by-laws accompanying it in the field of security. It is with them that Russian companies mainly come across, who have decided to link their business with non-cash payments. Consider them in order.
')
The Payment Card Industry Data Security Standard (PCI DSS) came to us from the West and historically became the first popular set of payment security requirements. The standard was developed by the community of international payment systems Visa, MasterCard, American Express, JCB and Discover, which created the regulator for its development - the PCI SSC Council .
The object of application of this standard is each organization storing, processing or transmitting in its information systems the numbers of payment cards issued under the brand of any of the above-mentioned international payment systems. That is, its requirements apply to regular and online stores, banks, payment gateways, processing centers and other related structures. All organizations involved in the processing of a payment transaction in one way or another, according to the ideology of the regulator, are divided into two categories - merchants and service providers. The first are all those who sell goods or services and accept credit cards from customers - shops, restaurants, hotels, gas stations, parking lots. To the second - all those who provide the payment process - banks, payment gateways, international payment systems themselves, hosting providers, and others.
The PCI DSS standard contains a list of sufficiently specific technical and organizational requirements for ensuring the information security of card data, divided into 12 sections. Requirements are organized according to the principle of a control card, according to which one can move from one requirement to another and put a tick: "done" or "not done". This approach has its drawbacks; information security professionals periodically criticize the standard for inflexibility and the absence of a risk-based approach. However, in order to justify PCI DSS, it is worth saying that the standard was developed for mass implementation by trade and service enterprises, which rarely have information security specialists capable of professionally managing risks in the style of ISO 27001 .
The requirements of the standard are focused on ensuring the security of the information infrastructure at all levels. Secure rooms accommodate correctly configured network devices and servers used by securely developed applications and databases. The urgency of protection is ensured by continuous monitoring and regular auditing. Trained staff administers information systems in accordance with established procedures. Something like this in practice looks like information security from the point of view of international payment systems.
An organization needs to confirm compliance with the PCI DSS standard annually, and there are several ways to confirm this. This is filling out the SAQ self-assessment sheet, performing an internal ISA audit, and passing an external QSA audit. Which way to choose? The answer to this question is not as obvious as it might seem at first glance. To begin with, we should remember which of the two main types the organization belongs to - a trade and service company or a service provider.
If we are talking about a service provider, then we need to remember the figure of 300,000. This is the boundary between the first and second levels (Level 1 and Level2), set by both Visa and MasterCard for service providers. If the annual number of transactions or the total number of card numbers stored in the database exceeds the limit of 300,000, then this is the first level, and you should call an auditing company with PCI QSA status to pass external QSA auditing. If the number of transactions is less, then it is enough to fill out the SAQ type D self-assessment sheet and provide it to the serving acquirer. We'll talk about the types of self-assessment sheets later.
If the organization is a trade and service enterprise, then for it there are as many as four levels. But for simplicity, again, we must remember only one digit - one million. If a store processes more than one million transactions per year, then it belongs to the first or second level and must undergo an external QSA or an internal ISA audit annually. If the annual total number of transactions is less than one million, then this is the third or fourth level, it will be enough for them to fill out the SAQ self-assessment sheet, the type of which is selected based on the way the cards are processed. The determining criterion here is the storage of card numbers in the information systems of the store. If the store stores card data, it is SAQ D. If it only transmits through its systems and does not store SAQ C. Outsourcing to a certified service provider and not taking part even in their transfer, then the smallest self-assessment sheet SAQ A applies to it. A summary table of conformity assessment options is given below.
It must be remembered that the definitions of the levels of trade and service enterprises and service providers are given by international payment systems only for general orientation. The most important rule is that the servicing acquiring bank is primarily responsible for compliance by the service provider or the store with the PCI DSS requirements, and only the acquiring bank has the right to unequivocally determine for the organization how to confirm compliance.
(to be continued)
Table. PCI DSS Compliance Options
The payment industry is no exception. The business interest is the fastest and most comfortable payment by buyers in favor of trade and service enterprises and offering all market participants ancillary services. Unfortunately, a convenient one-click payment on the store's website can have unpleasant consequences for a bank card holder if someone from the participants in the payment chain - a store, bank or processing center did not take the necessary security measures when processing data. Security of money on customer cards, although it is a matter of reputation for a business, but, frankly, it does not bring direct benefits. This is where government regulators and international communities set the requirements for protection. If earlier the term “non-cash payment” was mainly associated only with banks and receipts, then the popularization of credit cards, retail non-cash payments and electronic money involved a small business mainly represented by e-commerce enterprises and payment agents in the payment industry.
Over the past few years, a whole series of regulatory documents on payment security has appeared, and judging by the activity of regulators, there will be more. Currently in Russia the most relevant are the international standards PCI DSS and PA-DSS , as well as the Federal Law No. 161- “On the National Payment System” and the by-laws accompanying it in the field of security. It is with them that Russian companies mainly come across, who have decided to link their business with non-cash payments. Consider them in order.
')
The Payment Card Industry Data Security Standard (PCI DSS) came to us from the West and historically became the first popular set of payment security requirements. The standard was developed by the community of international payment systems Visa, MasterCard, American Express, JCB and Discover, which created the regulator for its development - the PCI SSC Council .
The object of application of this standard is each organization storing, processing or transmitting in its information systems the numbers of payment cards issued under the brand of any of the above-mentioned international payment systems. That is, its requirements apply to regular and online stores, banks, payment gateways, processing centers and other related structures. All organizations involved in the processing of a payment transaction in one way or another, according to the ideology of the regulator, are divided into two categories - merchants and service providers. The first are all those who sell goods or services and accept credit cards from customers - shops, restaurants, hotels, gas stations, parking lots. To the second - all those who provide the payment process - banks, payment gateways, international payment systems themselves, hosting providers, and others.
The PCI DSS standard contains a list of sufficiently specific technical and organizational requirements for ensuring the information security of card data, divided into 12 sections. Requirements are organized according to the principle of a control card, according to which one can move from one requirement to another and put a tick: "done" or "not done". This approach has its drawbacks; information security professionals periodically criticize the standard for inflexibility and the absence of a risk-based approach. However, in order to justify PCI DSS, it is worth saying that the standard was developed for mass implementation by trade and service enterprises, which rarely have information security specialists capable of professionally managing risks in the style of ISO 27001 .
The requirements of the standard are focused on ensuring the security of the information infrastructure at all levels. Secure rooms accommodate correctly configured network devices and servers used by securely developed applications and databases. The urgency of protection is ensured by continuous monitoring and regular auditing. Trained staff administers information systems in accordance with established procedures. Something like this in practice looks like information security from the point of view of international payment systems.
An organization needs to confirm compliance with the PCI DSS standard annually, and there are several ways to confirm this. This is filling out the SAQ self-assessment sheet, performing an internal ISA audit, and passing an external QSA audit. Which way to choose? The answer to this question is not as obvious as it might seem at first glance. To begin with, we should remember which of the two main types the organization belongs to - a trade and service company or a service provider.
If we are talking about a service provider, then we need to remember the figure of 300,000. This is the boundary between the first and second levels (Level 1 and Level2), set by both Visa and MasterCard for service providers. If the annual number of transactions or the total number of card numbers stored in the database exceeds the limit of 300,000, then this is the first level, and you should call an auditing company with PCI QSA status to pass external QSA auditing. If the number of transactions is less, then it is enough to fill out the SAQ type D self-assessment sheet and provide it to the serving acquirer. We'll talk about the types of self-assessment sheets later.
If the organization is a trade and service enterprise, then for it there are as many as four levels. But for simplicity, again, we must remember only one digit - one million. If a store processes more than one million transactions per year, then it belongs to the first or second level and must undergo an external QSA or an internal ISA audit annually. If the annual total number of transactions is less than one million, then this is the third or fourth level, it will be enough for them to fill out the SAQ self-assessment sheet, the type of which is selected based on the way the cards are processed. The determining criterion here is the storage of card numbers in the information systems of the store. If the store stores card data, it is SAQ D. If it only transmits through its systems and does not store SAQ C. Outsourcing to a certified service provider and not taking part even in their transfer, then the smallest self-assessment sheet SAQ A applies to it. A summary table of conformity assessment options is given below.
It must be remembered that the definitions of the levels of trade and service enterprises and service providers are given by international payment systems only for general orientation. The most important rule is that the servicing acquiring bank is primarily responsible for compliance by the service provider or the store with the PCI DSS requirements, and only the acquiring bank has the right to unequivocally determine for the organization how to confirm compliance.
(to be continued)
Table. PCI DSS Compliance Options
| Option | Applicability | The number of verification procedures |
| SAQ A | Commercial and service enterprises performing e-commerce transactions that have given all the functions of electronic processing, storage and transfer of card data to the service provider who has confirmed compliance with PCI DSS. | 13 |
| SAQ B | Trade and service enterprises using POS-terminals using a telephone line, not transmitting card data via the Internet, and not having electronic card data storages. | 29 |
| SAQ C | Trade and service enterprises using POS-terminals or payment applications that transmit card data via the Internet, and do not have electronic card data storage. | 40 |
| SAQ C-VT | Trade and service enterprises that use virtual web terminals from a service provider who has confirmed compliance with PCI DSS and who do not have electronic card data storages over the Internet. | 51 |
| SAQ D | All trade and service enterprises and all service providers, except those who, according to the requirements of the payment system or acquiring bank, need an ISA or QSA audit. | 288 |
| ISA audit | All trade and service enterprises, except those who, according to the requirements of the payment system or acquiring bank, need a QSA audit. | 288 |
| QSA audit | All trade and service enterprises and all service providers. | 288 |
Source: https://habr.com/ru/post/180221/
All Articles