xImportant Alerts

Please remember that Jefferson Bank will never contact you and ask you for personal information. Should you ever feel like your information has been compromised, please contact us at (210) 736-7600.

PCI: Understanding the Intent of the Requirements

PCI DSS1 requirements cover an array of recommendations to ensure your customer’s card data remains secure. The PCI Security Standards Council (PCI SSC) has created Navigating PCI DSS documentation, intended to assist merchants in understanding the PCI DSS and the specific meaning and intention behind the detailed requirements to secure system components (servers, network, applications, etc.) that support cardholder data environments (CDE)2. PCI DSS requirements apply to all system components which are defined as any network component, server or application that is included in, or connected to, the cardholder data environment. System components also include any virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. The cardholder data environment is comprised of people, processes and technology that handle cardholder data or sensitive authentication data.

The moment card data is stored, PCI DSS is in effect. As a merchant, it is your responsibility to understand and remain current with all requirements. At least annually you should confirm the accuracy of your PCI DSS scope by identifying all locations and flows of cardholder data. To confirm the accuracy and appropriateness of PCI DSS, identify and document the existence of all cardholder data in your business environment. Verify that no cardholder data exists outside of the currently defined cardholder data environment. Once all locations of cardholder data are identified and documented, you should use the results to verify that PCI DSS scope is appropriate (for example, the results may be a diagram or an inventory of cardholder data locations).

A Qualified Security Assessor (QSA) can assist in determining scope within your business’s cardholder data environment along with providing guidance about how to narrow the scope of a PCI DSS assessment by implementing proper network segmentation. For questions that pertain to whether a specific implementation is consistent with the standard or is “compliant” with a specific requirement, PCI SSC recommends merchants consult a QSA to validate their implementation of technology and processes, and compliance with the PCI Data Security Standard. QSAs’ expertise in working with complex network environments lends well to providing best practices and guidance to you in attempting to achieve compliance for your business. The PCI SSC List of Qualified Security Assessors can be found at: www.pcisecuritystandards.org.

The following information is meant to guide you in understanding the intent of PCI (Payment Card Industry) requirements and to bring awareness of scams and tips to assist you in your business. We strongly advise that you visit the PCI Security Standards Council website, at www.pcisecuritystandards.org, to view all 12 PCI DSS requirements and review the Navigating PCI DSS documentation.

Build and Maintain a Secure Network

PCI’s glossary of definitions defines Network as being two or more computers connected together via physical or wireless means. Network components include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances.

  • Install and maintain a secure firewall3- A firewall examines all network traffic and ensures that appropriate security data specifications are met. All traffic that does not fall within PCI guidelines will be denied access. It is important that all systems are protected against unauthorized access by other networks. Proper firewall protection provides additional security against unauthorized access to cardholder data.
  • Complete frequent scheduled network security scans - This involves your system being remotely checked for vulnerabilities through use of manual or automated tools. Security scans include probing internal and external systems and reporting on services exposed to the network. Scans may identify vulnerabilities in your operating systems, services, and devices that could be used by malicious individuals.
  • Change vendor supplied passwords - Individuals with inappropriate intentions have been known to attempt access to systems using standard vendor passwords in an effort to gain access to secure data. Change vendor passwords immediately to avoid unauthorized access to hackers who are familiar with vendor passwords and settings.
  • Use strong passwords - Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. It estimates how many trials an attacker, who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability. Using strong passwords lowers overall risk of a security breach, but strong passwords do not replace the need for other effective security controls.

Protect Cardholder Data⁴

  • Protect stored data - Use methods known to protect cardholder data such as encryption5, truncation6, masking7 and hashing8. If an unauthorized individual attempts to gain access to encrypted data without the appropriate cryptographic key, the data would be of no use to them.
  • Encrypt transmission of secured data - When transmitting sensitive information, it must be encrypted when being sent via networks that may be easily accessed by individuals with malicious intent.

Maintain a Vulnerability Management Program

  • Remain current with anti-virus software9and programs - Use anti-virus software on all systems commonly affected by malicious software, particularly PCs and servers10.
  • Develop and maintain secure systems - Ensure that all anti-virus mechanisms are current, actively running and provide audit logs. Audit logs allow the monitoring of virus activity and can be managed for any suspicious activity.

Implement Strong Access and Control Measures

  • Restrict access to cardholder data - Limit access of systems to allow only required personnel access based on their job requirements. Avoid allowing all employees full access to unnecessary programs and possible exposure of secure data.
  • Assign unique IDs to each user - Providing each user their own access will limit the likelihood of access by unauthorized individuals.
  • Restrict physical access to cardholder data - Any physical access to data or systems that house cardholder data should be restricted to authorized personnel only. Visitors or vendors should not have access to these areas at any time. Appropriate facility control should be in effect at all times.

Regularly Monitor and Test Networks

  • Track and monitor all access to network resources' and cardholder data - Track user activity as an aid to prevent, detect and minimize the impact of a data compromise. Determining the cause of a compromise can prove very difficult without system activity logs.
  • Regularly test security systems and hardware - Complete quarterly testing for the presence of wireless access points or unauthorized wireless access points to ensure there are no hidden devices that could potentially gain secure card data information.

Maintain an Information Security Policy

  • Create a policy that addresses information security for all personnel - A strong security policy sets clarity to expectations and ensures proprietary information remains secure. All employees should be aware of your security policy and of their responsibility in protecting it. Include annual requirements to review and update your policy as needed.

1The Payment Card Industry Data Security Standard (PCI DSS) was created by the PCI Security Standards Council, which offers comprehensive standards and supporting materials to enhance payment card data security. These standards include a framework of specifications, tools, measurements and support resources to help merchants ensure the safe handling of cardholder information at every step. The PCI DSS provides an actionable framework for developing a robust payment card data security process—including prevention, detection and appropriate reaction to security incidents. Please visit www.pcisecuritystandards.org to find useful information about the PCI DSS requirements for merchants that was created to mitigate data breaches and prevent payment cardholder data fraud. 2The people, processes and technology that store, process or transmit cardholder data or sensitive authentication data, including any connected system components. 3Hardware and/or software technology that protects network resources from unauthorized access. A firewall permits or denies computer traffic between networks with different security levels based upon a set of rules and other criteria. 4At a minimum, cardholder data consists of the full card number. Cardholder data may also appear in the form of the full card number plus any of the following: cardholder name, expiration date and/or service code. 5Process of converting information into an unintelligible form except to holders of a specific cryptographic key. 6Method of rendering the full card number unreadable by permanently removing a segment of the card number data. Truncation relates to protection of the card number when stored in files, databases, etc. 7 Method of concealing a segment of data when displayed or printed. Masking is used when there is no business requirement to view the entire card number. Masking relates to protection of the card number when displayed or printed. 8Process of rendering cardholder data unreadable by converting data into a fixed-length message digest via strong cryptography. Hashing is a (mathematical) function in which a non-secret algorithm takes any arbitrary length message as input and produces a fixed length output (usually called a “hash code” or “message digest”). 9Program or software capable of detecting, removing, and protecting against various forms of malicious software (also called “malware”) including viruses, worms, Trojans or Trojan horses, spyware, adware, and rootkits. 10Computer that provides a service to other computers, such as processing communications, file storage, or accessing a printing facility. Servers include, but are not limited to web, database, application, authentication, DNS, mail, proxy, and NTP.

Notices & Disclosures

X