Well, here we go again with a bunch of acronyms and new terms to learn. To help understand the important security requirements your card services agreement commits you to if you are processing credit cards, it important to understand some of the terms and definitions. The following definitions are taken directly from the PCI Security Standards Council’s website and are provided here for convenience, but we strongly recommend that you study this important website as it must be considered the authority and source for everything you read about PCI DSS.
Definitions (from www.pcisecuritystandards.org)
PCI | Payment Card Industry. |
PCI DSS | The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. |
PCI SSC | The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. |
PA-DSS | Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. |
ASV | Acronym for “Approved Scanning Vendor.” Company approved by the PCI SSC to conduct external vulnerability scanning services. |
QSA | Acronym for “Qualified Security Assessor,” company approved by the PCI SSC to conduct PCI DSS on-site assessments. |
SAQ | Acronym for “Self-Assessment Questionnaire.” Tool used by any entity to validate its own compliance with the PCI DSS. |
Yes these are a lot of acronyms flying around, but what is important is to understand the key relationships between them. It is the Security Standards Council (PCI SSC) that defines and updates the Data Security Standard (PCI DSS) that in turn defines the merchants’ requirements for card processing security. The Council (PCI SSC) also establishes requirements for Payment Applications (PA-DSS) that must be followed by POS Software vendors (as well as any service company involved in processing or storing credit card information). What is important here is to remember just because a merchant is using a Payment Application that is PA-DSS certified the merchant is NOT automatically PCI-DSS Compliant, because the Data Security Standard entails 12 general requirements for merchants.
Merchants are required to meet the Data Security Standards (PCI DSS) and if required by their Acquiring Banks, either be audited by a Qualified Security Assessor (QSA) or complete an annual Self Assessment Questionnaire (SAQ). There are four different SAQs (A,B,C & D) based on how transactions are handled and if sensitive cardholder information is retained (see PCI-DSS: Card Retention Options and SAQs ).
In completing these Self Assessment Questionnaires a merchant may need assistance. For that purpose a merchant may elicit the help of a Qualified Security Assessor (QSA) who understands the Data Security Standard (PCI DSS) and may also need to have external vulnerability scans performed by an Approved Scanning Vendor (ASV). The Council (PCI SSC) also certifies the QSA, ASV and also Payment Application Qualified Security Advisors (PA QSA), who must be used to certify that a Payment Application is PA DSS certified.
PCI DSS Requirements
The PCI Data Security Standard entails 12 general security requirements for the security of cardholder information. Not all requirements apply to all merchants, depending upon which SAQ applies (see the related article PCI-DSS: Card Retention Options and SAQs). Again, directly from the PCI Website (https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml):
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Disclaimer: This article is intended to provide an introduction to the PCI Data Security Standard and the relationships between various security providers. This author has been careful to directly quote the PCI SSC website for most of this material and believes it must be the ultimate source for learning and understanding the standards and organizations. This author has also used articles such as this one to better understand these requirements and has encountered contradictions and especially dated materials while researching this. While the basics will help the reader put this puzzle together, the author strongly encourages you to utilize the valuable resource of the PCI SSC website for clarifications: www.pcisecuritystandards.org.
Tachibana says
Certainly processing ceridt cards on employee phones is a risky proposition, and the investment required for wireless devices that must be dedicated to Point of Sale seems too high a price for the benefits. It seems to me that the appeal of a mobile POS solution is to utilize technology that everyone already has. While I am sure this technology is coming, security must come first for all retailers. I’d rather wait until the costs and risks both come down as they always do. It will be fun to participate as this technology develops.
Tim Smyth says
Tachibana, You hit the nail on the head. I believe the solution lies more in getting the PCI Data Security Council to accept End to End encryption to remove the technology platform from scope as it’s outside the Cardholder Data Environment – but they haven’t even done that for network based PCs yet. This is a big reason our focus is not to put POS in the pocket of sales associates – we want to free them from being tied to the POS.