By now, one might expect that most people even remotely involved with credit card processing would have a passing familiarity with the Payment Card Industry Data Security Standard (PCI DSS).  Unfortunately, this is not the case.  Many merchants (primarily Level 4) remain unaware of the obligations introduced by the card brands’ security programs, each of which centers on the standard.

Even for those versed in PCI DSS, there are benefits to understanding its origins.  The roles and responsibilities that fall to various parties, as well as the appropriate use of the instruments involved in validating compliance, are intertwined with the origins of the standard.

Read the rest of this entry »

Posted in PCI DSS | 3 Comments »

PCI DSS requirement 4.1 requires the use of secure sockets layer (SSL) or other strong cryptography to protect cardholder data while in transit over public networks. Specifically, the standard requires that:

”Use strong cryptography and security protocols such as secure sockets layer (SSL) / transport layer security (TLS) and Internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks.”

In this article, we take a look at what this means for you as a PCI DSS professional.  We begin with an overview of how the Secure Sockets Layer (SSL) works, define an “open, public network” and then explore what you need to do to validate your PCI DSS compliance in this area.

Read the rest of this entry »

Posted in Encryption, PCI DSS | 3 Comments »

In this article, I review the Payment Card Industry Data Security Standard (PCI-DSS) policy requirements and provide a policy framework, including a PCI DSS sample policy that uses the framework.

Getting Started

The best advice regarding policy creation is: don’t over engineer it!  The policy document should be a definitive guide to conduct, but should not include the implementation details (i.e., procedures).  It may make reference to standards, but it should not contain those standards.
Read the rest of this entry »

Posted in PCI DSS, Policy | 1 Comment »

There’s a lot of talk about section 11.3 of the Payment Card Industry Data Security Standard (PCI DSS), requiring organizations to conduct penetration tests.  The language in this section of the standard reads:

11.3 Perform penetration testing at least once a year and after any significant infrastructure or
application upgrade or modification (such as an operating system upgrade, a sub-network added
to the environment, or a web server added to the environment). These penetration tests must
include the following:
11.3.1 Network-layer penetration tests
11.3.2 Application-layer penetration tests

When the standard first came out, the vagueness of this requirement caused quite a bit of confusion among compliance professionals attempting to understand how they’ll be held accountable by their merchant banks.

Read the rest of this entry »

Posted in PCI DSS, Penetration Testing | 2 Comments »

PCI DSS Requirement 6.6: Web Application Firewalls and Code Reviews

On June 30, 2008, PCI DSS requirement 6.6 takes effect, requiring that all merchants who operate public websites implement at least one of two controls:

• Install a web application firewall
• Perform application code reviews

Until recently, the meaning of these requirements has been quite unclear and subject to interpretation.  However, with the recent release of an information supplement, the PCI Security Standards Council clarified the requirements and laid out a clear path to compliance for merchants.  Let’s take a brief look at each of the two options.

Read the rest of this entry »

Posted in Application Firewalls, Code Review, PCI DSS | 2 Comments »