PCI Data Security Standard: Terms and Definitions

Well, here we go again with a bunch of acronyms and new terms to learn. To help understand the important security requirements your card services agreement commits you to if you are processing credit cards, it important to understand some of the terms and definitions. The following definitions are taken directly from the PCI Security Standards Council’s website and are provided here for convenience, but we strongly recommend that you study this important website as it must be considered the authority and source for everything you read about PCI DSS.

Definitions (from www.pcisecuritystandards.org)

PCI	Payment Card Industry.
PCI DSS	The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
PCI SSC	The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.
PA-DSS	Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements.
ASV	Acronym for “Approved Scanning Vendor.” Company approved by the PCI SSC to conduct external vulnerability scanning services.
QSA	Acronym for “Qualified Security Assessor,” company approved by the PCI SSC to conduct PCI DSS on-site assessments.
SAQ	Acronym for “Self-Assessment Questionnaire.” Tool used by any entity to validate its own compliance with the PCI DSS.

Yes these are a lot of acronyms flying around, but what is important is to understand the key relationships between them. It is the Security Standards Council (PCI SSC) that defines and updates the Data Security Standard (PCI DSS) that in turn defines the merchants’ requirements for card processing security. The Council (PCI SSC) also establishes requirements for Payment Applications (PA-DSS) that must be followed by POS Software vendors (as well as any service company involved in processing or storing credit card information). What is important here is to remember just because a merchant is using a Payment Application that is PA-DSS certified the merchant is NOT automatically PCI-DSS Compliant, because the Data Security Standard entails 12 general requirements for merchants.

Merchants are required to meet the Data Security Standards (PCI DSS) and if required by their Acquiring Banks, either be audited by a Qualified Security Assessor (QSA) or complete an annual Self Assessment Questionnaire (SAQ). There are four different SAQs (A,B,C & D) based on how transactions are handled and if sensitive cardholder information is retained (see PCI-DSS: Card Retention Options and SAQs ).

In completing these Self Assessment Questionnaires a merchant may need assistance. For that purpose a merchant may elicit the help of a Qualified Security Assessor (QSA) who understands the Data Security Standard (PCI DSS) and may also need to have external vulnerability scans performed by an Approved Scanning Vendor (ASV). The Council (PCI SSC) also certifies the QSA, ASV and also Payment Application Qualified Security Advisors (PA QSA), who must be used to certify that a Payment Application is PA DSS certified.

PCI DSS Requirements

The PCI Data Security Standard entails 12 general security requirements for the security of cardholder information. Not all requirements apply to all merchants, depending upon which SAQ applies (see the related article PCI-DSS: Card Retention Options and SAQs). Again, directly from the PCI Website (https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml):

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

Disclaimer: This article is intended to provide an introduction to the PCI Data Security Standard and the relationships between various security providers. This author has been careful to directly quote the PCI SSC website for most of this material and believes it must be the ultimate source for learning and understanding the standards and organizations. This author has also used articles such as this one to better understand these requirements and has encountered contradictions and especially dated materials while researching this. While the basics will help the reader put this puzzle together, the author strongly encourages you to utilize the valuable resource of the PCI SSC website for clarifications: www.pcisecuritystandards.org.