What is PCI DSS? PCI DSS Review

1. Introduction

PCI DSS Payment Card Industry Data Security Standard is a global, consistent data security measure developed to support and improve cardholder data security and adopted by card organizations. It provides a set of technical and operational baseline requirements for protecting cardholder data.

The PCI DSS information security standard has six major goals and 12 major requirements. The entire PCI security standard is basically based on these projects. Organizations that are currently or are planning to conduct PCI compliance reviews can use them as a reference.

The current standard version is PCI DSSv3.2.1

2. PCI DSS Compliance Assessment

The PCI DSS standard puts forward many security baseline requirements from various aspects such as information security management system, network security, physical security, and data encryption.

Although no information security standard or security construction can guarantee 100% protection against security risks, according to the industry's accumulation, if PCI DSS can be implemented and security protection for the cardholder data environment can be continuously implemented in strict accordance with the requirements of PCI DSS, the possibility of security incidents will be greatly reduced.

3. Security Overview

Build and maintain a secure network

1. Installed to maintain firewall settings to protect cardholder data.

2. For system passwords and other security parameters, the preset values ​​(default passwords) provided by the supplier cannot be used.

Protecting cardholder information

3. Protect stored cardholder information.

4. Encrypt cardholder information transmitted over open public networks.

Maintain a vulnerability management program

5. Use and regularly update anti-virus software or programs.

6. Develop and maintain secure systems and applications.

Implement strict storage controls

7. Access to cardholder information is restricted to those with business needs only.

8. Assign a unique ID to each person with access to the computer.

9. Limit the actual storage of cardholder information.

Monitor and test your network regularly

10. Track and monitor all access to network resources and cardholder information.

11. Test security systems and procedures regularly.

Maintaining information security policies

12. Maintain policies that meet the information security needs of all personnel.

IV. Important aspects of PCI DSS

This PCI DSS document discusses requirements for testing application environment authentication—an often overlooked but very important component of penetration testing.

The PCI DSS document also describes what is considered a “significant change” to a system so that subsequent penetration testing can be performed after code or related updates are made to any system in the cardholder data environment.

The PCI DSS document mentions the importance of certifications and previous experience for security professionals doing this job—as in other fields, more experience is often better—and of course, tools such as vulnerability scanners, network analyzers, and exploit kits are also needed, and they should know how to use them effectively.

Additionally, penetration testing-specific rules are often overlooked, which can create problems during or after a penetration test, such as how deep the exploit needs to go and how to handle sensitive data discovered during the test.

I am very happy that the document addresses security controls that may prevent testing (WAFs, IPSes, etc.), many people think that if they have these controls in place, no vulnerabilities will be found or exploited, and everything is fine.

As for whitelisting or disabling these active protections, the penetration testing guide explicitly states that it can “help ensure that the service itself is properly configured and control the risk of exploitation if the active protection system fails or is somehow defeated or bypassed by an attacker.”

The PCI DSS document also provides recommendations around social engineering, including phishing testing, to detect whether the cardholder data environment can be exploited from this perspective.

Businesses should also retain evidence of the details of their testing, including specific findings, to ensure that they are available upon request.

5. PCI DSS improves the security of virtual environments

When deploying a VMware virtualization environment, you can consider using PCI DSS to enhance the data security of your virtual machines.

As more and more personal information is stored in PCI DSS networks, attempts by unauthorized PCI DSS users to access this data are increasing.

Suspicious behavior or fraudulent spending due to the loss of personal PCI DSS information can lead to the forced cancellation of a user's credit card, which is very frustrating.

Not only that, users who encounter personal PCI DSS information leakage usually feel that their personal privacy has been violated.

The question that arises from this is: How serious is the PCI DSS situation? The Bureau of Justice Statistics has released some PCI DSS data related to personal information leakage, and the current situation is worrying.

The latest available PCI DSS data is from 2012, when 7% of Americans aged 16 and over experienced at least one PCI DSS personal information theft incident. The consequences of this PCI DSS situation are very serious, resulting in an estimated loss of $24.7 billion.

By comparison, data from the National PCI DSS Crime Victims Survey shows that other property crime caused losses of $14 billion.

This series of data shows that there are indeed security loopholes in the systems that store PCI DSS private information, and they have not been resolved.

Recognizing the importance of protecting personal information and financial data (especially credit and debt accounts) under the PCI DSS, the Payment Card Industry (PCI) Security Standards Council developed the Data Security Standard (DSS), the latest version of which is 3.1.

The PCI DSS Security Standards Council is an open forum responsible for the continuous development of the PCI DSS standard. Its original founders include American Express, Discover Financial Services, JCB International, MasterCard and Visa. Although you may have never heard of PCI DSS before, the principles and guidelines contained in it will affect almost all PCI DSS users who use cards for purchases.

The committee makes requirements to merchants, manufacturers and security consulting firms to prevent PCI DSS personal information leaks and credit card fraud.

For payment companies that have already met the PCI DSS standard, the biggest benefit of PCI DSS is that they can provide good PCI DSS security protection for their most valuable assets - consumers.

A good PCI DSS reputation can help a company win a steady stream of business opportunities, while a poor PCI DSS reputation, once formed, is difficult to change.

PCI DSS is designed to help payment institutions implement best practices for sensitive data security, especially for data types that are unique to this industry. However, it would be a dereliction of duty to ignore this standard simply because your PCI DSS organization or enterprise does not need to handle PCI DSS payment data or related transactions.

In fact, the various guidelines contained in PCI DSS are adjusted for virtualization technology and can be of great help to any enterprise that wants to protect PCI DSS sensitive data.

Compliance reviews using PCI DSS and other industry-specific standards can provide a high degree of assurance that private information is protected by best PCI DSS security practices.

A secure PCI DSS information environment is critical to the business, customers and employees.

6. PCI DSS eliminates weak links

Fortunately, we can use PCI DSS as one of the guidelines for using virtualization technology in an environment that is relevant to PCI DSS business.

For example, PCI DSS Section 2.2.1 states that a virtual system component or device can only perform one primary function.

The PCI DSS guidelines explain in detail the risks that systems with multiple major functions may face, and the lowest security level of any PCI DSS function may lead to attacks on other functions.

We can compare the PCI DSS situation to a necklace that is only as strong as its weakest link, which can help us understand the actual role of PCI DSS.

For example, running a web server and a critical database service in a single PCI DSS virtual machine is asking for trouble.

The best way is to follow the PCI DSS regulations, place these PCI DSS functions on different servers, and then customize the security levels for different functions on specific PCI DSS servers.

Additionally, network connections between PCI DSS servers must prohibit the migration of lower security level functions from one server to another PCI DSS server.

As you can see, deploying a single PCI DSS server with a single functional requirement means that overall planning of the server, other related equipment, and network connections is required.

These PCI DSS guidelines have been carefully considered before release and can be applied to any industry that needs to strengthen the security of PCI DSS systems.

PCI DSS virtualization technology improves the efficiency of hardware resource utilization. It is no longer necessary to allocate separate hardware PCI DSS servers for all functions, which reduces the difficulty of implementing PCI DSS guidelines.

Following PCI DSS guidelines when planning server resources can enhance system security and improve security control flexibility after implementing the main functions of the PCI DSS system.

PCI DSS security is an ever-changing concept that requires continuous attention. PCI DSS provides us with a good idea that an industry security standard PCI DSS can be applied to specific industries, customers, and IT departments in other fields.

Implementing separation of primary functions on servers in compliance with PCI DSS standards is a good idea that all enterprises should adopt.