PCI DSS (Payment Card Industry Data Security Standard) is the payment card industry’s data security standard. In other words, it is documentation that contains a list of criteria that a service must meet if it somehow checks information such as card number, expiration date, and CVV code.
There are quite a few payment cards around the world (everyone knows Visa and MasterCard), and since this is an industry standard, it would be helpful for all companies to agree among themselves on what to consider safe. That’s what the PCI SSC (Payment Card Industry Security Standards Council) is for, it’s the payment card industry’s security standards council made up of the five largest payment systems. It is this council that creates the “safe game” rules and sets the rules that must be followed by companies seeking the coveted “PCI-DSS Certified” label. Certificate renewal is required every year.
What are Controlled Substances?
In fact, it would be difficult to explain all the validation criteria, of which there are 288. The procedure itself is quite lengthy, because it involves verifying a number of difficult technical points. The full list of criteria divided into 12 groups is as follows:
- Computer network protection.
- Configuration of information infrastructure components.
- Protection of stored cardholder data.
- Protection of transmitted data about cardholders.
- Anti-virus protection of information infrastructure.
- Development and support of information systems.
- Control access to cardholder data.
- Authentication mechanisms.
- Physical protection of information infrastructure.
- Logging of events and actions.
- Information infrastructure security control.
- Information security management.
It is clear that we are talking about both the software part and the “physical component” here. In other words, everything is controlled. In this case, the word “control” means the actual presence of the person who made this control in the office of the controlled company. A qualified auditor with the status of QSA (Qualified Security Auditor – and this charter is certified by PCI SSC) has the right to speak to an employee of the payment gateway (there is a special interview procedure for this).
The program code of the libraries is selectively checked, the most attention is paid to the kernel that directly processes the data of the payment cards, attention is paid to compatibility with the external security standard OWASP, which defines the basic requirements for their discovery and elimination, and vulnerabilities in the code. There is also a Code Review link in the business development process, which is subject to additional verification by another developer not involved in writing the code itself.
All relationships and responsibilities between service providers within the framework of PCI DSS requirements, that is, between the transaction center and the data center, as well as the receiving banks, are recorded in the so-called responsibility matrices. The existence of signed responsibility matrices between service providers has become a mandatory requirement since version 3.1 of the PCI DSS standard. Of course, among other things, the data center must have an up-to-date PCI DSS compliance certificate for infrastructure components such as virtualization, services, physical equipment that the compute center uses in its business.