first time PCI DSS Compliance

PCI DSS Compliance for dummies

/in ,

【PCI DSS Compliance for dummies】

Even Cybersecurity Beginners Can Achieve Compliance

Top 5 questions asked (2W3H), when 1st time required by an acquirer or supervisor to obtain PCI DSS certification.

As the booming growth of e-commerce, remote work, and delivery platforms continues into 2024, the usage of cross-border transactions and online payments has accelerated, making payment card information security increasingly critical.

To protect cardholder personal information, the Payment Card Industry Security Standards Council (PCI SSC) mandates that all entities storing, processing, or transmitting cardholder data must comply with PCI DSS requirements.

The 12 core requirements and their sub-requirements within PCI DSS are designed to protect cardholder data.

When your acquiring bank, regulatory authority or boss requires you to obtain PCI DSS certification, and you’re unsure where to start, you might ask the following five key questions (2W3H):

Table of Contents

What is PCI DSS ?

PCI DSS stands for Payment Card Industry Data Security Standards, which is established and managed by the international organization, Payment Card Industry Security Standard Council (PCI SSC). These standards are specially designed to protect payment card data from unauthorized access and misuse.

PCI SSC comprises major global credit card organizations, including American Express, Discover Financial Services, JCB, MasterCard, Visa Inc., and China UnionPay.

PCI DSS standards are a set of industry-wide guidelines, focused on securing cardholder information across these brands. These standards apply to all entities, which store, process, or transmit cardholder data. Merchants or service providers handling payment cards from these brands, regardless of their size or transaction volume, are all required to follow and comply with PCI DSS to ensure the security of cardholder information.

Who needs PCI DSS Certification?

Any organization that stores, processes, or transmits cardholder data is required to comply with PCI DSS Standards. Depending on how an organization handles cardholder data, they are categorized into different types and levels.

Step 1: To determine whether the entity is a Merchant or Service Provider.

Merchants

Organizations that accept payment cards in exchange for goods or services. This category includes physical stores, online stores, and those offering downloadable virtual goods or services.

Service Providers

Entities that transmit, process, or store payment cardholder data as part of services they offer, or that can control or influence the security of cardholder data, including third-party payment processors, payment gateway providers, wallet service providers, and online marketplaces. Data centers and cloud service providers offering virtual hosting services also belong to this category.

Step 2: Once determining whether your organization is a Merchant or a Service Provider, you can further identify the PCI DSS level.

Level 1 Merchants and Service Providers

require an on-site assessment by a Qualified Security Assessor (QSA), who will conduct the review and provide a report.

Level 2-4 Merchants and Level 2 Service Providers

can use the PCI DSS Self-Assessment Questionnaire (SAQ) to perform a self-assessment, or they can seek assistance from a QSA to ensure a faster and more accurate evaluation.

Service Provider & Merchant

Who can assist PCI DSS Certification?

For Level 1 Merchants or Service Providers undergoing their first PCI DSS assessment, it is advisable to seek professional guidance.

QSA (Qualified Security Assessor)

is a professional authorized by PCI SSC, trained and certified to conduct PCI DSS assessments and provide Reports on Compliance (ROC) and Attestations of Compliance (AOC). QSAs must regularly update their certification to stay current with the latest PCI DSS versions. If your organization is a Level 1 Merchant or Service Provider, an on-site assessment by a QSA is mandatory.

QSAC (Qualified Security Assessor Company)

employs QSAs and provides expert assessment and consulting services. QSAC can assist you in understanding the specific requirements of PCI DSS and guide you in establishing a secure Payment environment.

How to choose QSA and QSAC?

  1. Visit [PCI Security Standards Council] to verify the certified QSA and QSAC.

  2. Inquire peers or partners about their experience and recommendations that already completed PCI DSS Assessment.
  3. Review customer evaluations and case studies of potential QSAs and QSACs to ensure their experience and expertise.
  4. Consultation Services: Conduct initial consultations with multiple QSAs or QSACs to understand their service scope, fee, and work process.

By following these steps, you can find a suitable QSA or QSAC to assist your PCI DSS Assessment, ensuring the payment environment is secure and compliant.

How to do?

PCI DSS Compliance Assessment normally consists of 4 main stages:

1. Preparation Stage

Scope Confirmation and Consulting phase.

**Scope Confirmation**

  • Preliminary Assessment: Evaluate existing security measures to identify gaps and scope needing adjustment.
  • Define Assessment Scope: Determine systems, networks, and applications that need to comply with PCI DSS standards.

**Consultation Phase**

  • Engage Consultant or QSA: Select a Qualified Security Assessor (QSA) or Qualified Security Assessor Company (QSAC) to assist in verifying environment compliance, guiding remediation processes, and scheduling Assessment.
  • Security Training: Provide employees with relevant security training to enhance overall security awareness.

2. Data Preparation Phase

Preparation and Implementation of Necessary Controls

**Data Preparation**

● Policies and Procedures: Develop and update security policies and operational procedures to ensure PCI DSS compliance.
● Document Collection: Gather and organize all required documents and evidence to demonstrate compliance.

3. Assessment Phase

QSA Conducts On-Site Assessment.

**Audit Execution**

● Internal Assessment: Conduct internal reviews before formal Assessment to ensure all issues are addressed.

● On-Site Assessment: Conduct on-site Assessment led by QSA to verify consistency between actual operations and documented practices.

4. Report Phase

QSA Writes and Submits Compliance Reports and Certifications

● Report Writing: QSA writes Report on Compliance (ROC) and Attestations of Compliance (AOC).

● Report Submission: You can submit a report to the Payment Card Organization or Acquirer.

● Certification Issuance: You will receive compliance certifications indicating adherence to PCI DSS standards from QSAC.

How long does it take?

The overall timeline for achieving PCI DSS compliance certification, from initial environment verification to providing final reports, is about 3 to 5 months. Main stages of Compliance Certification Process are listed below:

  1. Preparation Stage(1-2 months):Environment Verification and Consultation Phase.

  2. Data Preparation Stage (1 month): Preparation and Implementation of necessary Control Measures.

  3. Assessment Stage (5-7 days): On-site Assessment conducted by QSA.

  4. Report Stage (0.5-1 month): QSA writes and submits Compliance Reports and Certifications.

PCI DSS Certification timeline

Actual timelines may vary due to the following factors:

  • Preparedness: The extent of preparation before certification can expedite the process.
  • Complexity of Systems and Operations: The complexity of IT environments, network architecture, and operational processes can affect certification timelines.
  • Resources invested by the company (including manpower, time, and budget) and efficiency in project management.


To ensure an efficient process, it is recommended to:

  • Begin preparation: As early as possible, especially organizing documents and policies.
  • Effective Communication: Maintain close communication with QSA throughout the certification process to promptly address any issues that arises.
  • Continuous monitoring: After certification, it is necessary to continue maintaining and improving security measures to ensure long-term compliance with PCI DSS requirements.

How much does it cost?

Estimated Additional Costs for 1st-time PCI DSS Compliance

A. System

Due to the high-security requirements of PCI DSS, certain systems may need to be separated to comply with requirements such as having only one primary function per system component (Req. 2.2.3). Previously, functions like Web Server, Application Server, and DB Server might have been on one machine but now need to be split, potentially requiring additional server equipment (virtual servers can be used).Additionally, security components like NTP Servers, FIM Servers (File Integrity Management), and Log Servers may be needed to meet compliance, potentially increasing the number of required machines compared to before.

B. Security Equipment

Meeting PCI DSS security requirements may necessitate purchasing additional security equipment such as Network Security Control devices (NSCs) like firewalls, Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS), and Web Application Firewalls (WAF).

C. Data Encryption Equipment

Organizations with high security and performance demands may opt for Hardware Security Modules (HSMs) to encrypt card data securely as required by PCI DSS.

D. Personnel Training

PPCI DSS mandates training for personnel including awareness training, secure coding training, and conducting drills for Incident Response Plans (IRP). If staff perform Vulnerability Scans or Penetration Tests, they will also require adequate security training, potentially increasing training costs.

E. Technical Test

PCI DSS requires various periodic technical tests including Internal Vulnerability Scans, External Vulnerability Scans (ASV), Internal and External Penetration Tests, Wireless Scans, Card Number Scans, and Code Reviews. This section typically incurs additional expenses.

F. Other

If you are a service provider, acquiring institutions or card organizations may require registration in their service provider registries like VISA Registry or MasterCard SDP (Service Provider Registration).

For a small to medium-sized Service Provider without prior PCI DSS compliance experience, the estimated additional expenses might include as listed below:

PCI DSS extra cost for first time

PCI DSS Certification Costs

In addition to the potential additional costs mentioned above, the cost of PCI DSS Assessment can be varied with the time required by PCI DSS QSAs to complete the Assessment and Report.

The estimated assessment time depends on the following factors:

  1. System Complexity: The number of hosts, types of operating systems used, components installed on systems, multiple OS configurations, and security configurations all affect the sampling required during audits and increase audit time.

  2. Security Equipment and Networks: The number of security devices within the assessment scope such as Firewalls, IPS, IDS, WAF, Switches, Routers, SIEM, DRP, etc., requires configuration, updates, access control checks, logging, and more, thereby increasing assessment time with more devices and complex network planning.

  3. Connections to Acquiring Institutions and Service Providers: More connections to acquiring institutions and service providers form more complex data flows (Dataflows), necessitating additional time for inspection.

  4. Database and Card Data Storage and Encryption Methods: Diverse card data flows and storage methods require more encryption or security measures, resulting in additional inspection items.

  5. Number of Operational Units: The number of stores, data centers, and operational offices increases the days required for Assessment, e.g., banks, telecom companies, and businesses with numerous stores and offices with extensive sampling. Moreover, backup data centers storing card data are also included in the scope.

Generally speaking, PCI DSS Assessment costs vary by region due to different annual fees set by the PCI SSC and varying salaries for QSAs in different regions. In Southeast Asia, e.g., a small to medium-sized service provider requires 3-5 days for on-site Assessment and around a week for report compilation. Excluding travel costs, PCI DSS certification costs typically range between NT$400,000 to NT$600,000.

However, an actual quotation depends on the complexity factors mentioned above.

Who needs PCI DSS Compliance?
Which SAQ Type?

Whether you are a cross-border e-commerce business, a third-party payment platform, or a service provider, adhering to PCI DSS compliance requirements is crucial. Implementing these compliance measures not only provides your acquiring bank and regulatory authorities with a certificate of compliance but also directly helps your business reduce the risk of data breaches and theft while enhancing consumer confidence in the security of their transactions.

PCI DSS compliance consists of over 400 requirements, covering everything from understanding and interpreting the standards, providing evidence, and obtaining certification, to maintaining compliance in the future. How do you ensure ongoing compliance?

It is recommended to consider hiring a QSAC (Qualified Security Assessor Company) to help you quickly and effectively achieve compliance in a short time.

After certification, you can utilize a compliance management system offering features such as automated monitoring, alerts, regular data submission, and real-time visual status updates. This ensures that your business remains compliant and secure at all times.

*For more information about PCI Compliance Services, please feel free to contact us.

PCI DSS v4.0

Which SAQ Type?

/in ,
PCI DSS Self-Assessment Questionnaire  (SAQ) PCI DSS Self-Assessment Questionnaire (SAQ), applicable to Level 2-4 merchants and Level 2 service providers under Visa’s regulations, as an example.

5 Steps to complete SAQ:

  1. Select the appropriate SAQ type for your organization.

  2. Confirm your PCI DSS scope.
  3. Self-assess with relevant PCI DSS requirements.
  4. Complete the SAQ document, including Assessment information, Self-Assessment Questionnaire (SAQ), and detailed evidence submission.
  5. Submit the SAQ assessment results, Attestation of Compliance (AOC), and related information to the requesting organization.
It’s crucial, Select the appropriate SAQ type!

There are 9 different types of PCI DSS SAQs, each corresponding to different payment services. The determination criteria for each type depend on the specific payment services you offer. Typically, this determination is communicated by the acquirer or assessed by a Qualified Security Assessor (QSA) reviewing Cardholder Data Environment (CDE), Operational Processes involving Cardholder Data (such as Card Numbers), and Data Flows to accurately determine your applicable SAQ type.

For your preliminary assessment, refer to PCI DSS SAQ types provided below.

If you need more information about SAQ types and achieve PCI DSS compliance effectively and accurately, the professional advice from QSA or QSAC is highly recommended. Their expertise can provide valuable insights tailored to your specific needs and ensure your compliance in the most effective manner possible.

Are you ready for PCI DSS v4.0

Are you ready for PCI DSS v4.0

/in ,
Read more

Sequoia Vulnerability (CVE-2021-33909), PCI DSS Experts advise

/in ,

An out-of-bounds write flaw was found in the Linux kernel’s seq_file in the Filesystem layer. This flaw allows a local attacker with a user privilege to gain access to out-of-bound memory, leading to a system crash or a leak of internal kernel information. The issue results from not validating the size_t-to-int conversion prior to performing operations.

From PCI DSS point of views, primary concerns are operating system user account security.  Verification on the necessities of allowing access given to System, restrict only the mandatory rights to login with logging, ePBF etc. Patch management, especially critical, should be complete in 30 days.


  • PCI DSS Requirements 2.1 : Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.  Verify /etc/password have proper settings, delete or set to “nologin”, preventing non mandatory users can login using vulnerability to compromise the system.
  • PCI DSS Requirements 6.2 : Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.

Verify Operating System vendors have releasing relate patch and complete patch update within 1 month.  If there are no updates from the vendors, necessary mitigation process should be in place.


Patch updates resolving this vulnerability (CVE-2021-33909) noted by Qualys Security Research Team, see following form for Patch listing:


SourceRisk level
NESSUS
https://www.tenable.com/cve/CVE-2021-33909		CVSS (v2) 7.2
NIST NVD
https://nvd.nist.gov/vuln/detail/CVE-2021-33909		CVSS (v3) 7.8
Redhat
https://access.redhat.com/security/cve/cve-2021-33909		CVSS (v3) 7.0
CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33909		Source: MITRE

Update on 2021/09/10

Qualys Security Research Team has proven vulnerability by accessing root rights in vulnerable OS of : Ubuntu 20.04、Ubuntu 20.10、Ubuntu 21.04、Debian 11 and Fedora 34 Workstation.  Other Linux OS may result in I.O.C. generate from this vulnerability.  Linux Servers patch fix as follow:


Operating SystemSecurity patch link
Redhathttps://access.redhat.com/security/cve/cve-2021-33909
CentOShttps://centosfaq.org/centos/its-been-six-days-since-cvd-2021-33909-was-patched-in-rhel-whats-the-holdup-for-stream-8/

https://centos.pkgs.org/8-stream/centos-baseos-x86_64/kernel-4.18.0-326.el8.x86_64.rpm.html

SUSEhttps://www.suse.com/security/cve/CVE-2021-33909.html
ubuntuhttps://ubuntu.com/security/CVE-2021-33909

Update on 2021/09/10

If there are no updates from the vendors, necessary mitigation process should be in place.

sysctl kernel.unprivileged_userns_clone=1   # unprivileged_userns_clone set as 0

sysctl kernel.unprivileged_bpf_disabled=1   # unprivileged_bpf_disabled set as 1

For technical details, please refer to below link:

https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt


Max Tsai

Secure Vectors Information Technologies, Inc. - PCI QSA and Senior Consultant

• Payment Card Industry Security, IT Security Management, Cloud Service Management
• Professional certification: PCI DSS QSA, CISSP, ISMS LA



Secure Vectors Information Technologies Inc., is a consulting firm specialized in providing payment card related security consulting and assessment services. We provide comprehensive payment card related security consulting and certification services, including PCI DSS, PCI 3DS, PCI PIN Security Standards. Also providing personal data protection, GDPR compliance inspection and other consulting services. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore. With over 70 percent market share in Taiwan and 8 years experiences in PCI compliance, we developed compliance management program and collaborating services to fit every business.



You might also like


PCI DSS v4.0

Who need PCI DSS Compliance?

first time PCI DSS Compliance

PCI DSS Compliance for dummies

PCI DSS v4.0

Which SAQ Type?

[GCP] Be careful using GCP’s CI/CD service Google Cloud Build!

Immediate Response Required: Windows 10/11 (CVE-2021-36934) Security Vulnerabilities

Sequoia Vulnerability (CVE-2021-33909), PCI DSS Experts advise

PCI 3DS 驗證 3 步驟_Max

PCI DSS Compliance Process and Requirements

*For more information and inquiries please kindly email us at service@securevectors.com , our experts will answer all your questions as soon as possible.


Payment Security Market to Reach $24.6 Billion by 2022: Driven by the Need to Adhere to PCI DSS Guidelines & the Rise in Fraudulent Activities in Ecommerce

/in

The Payment Security Market by Solution, Service, Organization Size, Industry Vertical, and Region in 2022

The global payment security market size is expected to grow from USD 11.39 Billion in 2017 to USD 24.63 Billion by 2022, at a Compound Annual Growth Rate (CAGR) of 16.7%. The major growth drivers of the market include increased adoption of digital payment modes, need to adhere to PCI DSS guidelines, and rise in fraudulent activities in Ecommerce. The payment security market is segmented by component (solution and service), organization size, industry vertical, and region. The solutions segment in the market is expected to have a larger market size than the services segment during the forecast period. The reason behind the high growth rate is the increased need to secure online business sensitive transactions from advanced cyber-attacks.

The support services segment is expected to grow at a higher CAGR during the forecast period with the largest market size. The large enterprises segment is expected to account for a larger market size in 2017. However, the Small and Medium-Sized Enterprises (SMEs) segment is expected to grow at a higher CAGR during the forecast period, as SMEs are mainly adopting payment security solutions to protect the customer-sensitive bank account data from network vulnerabilities and attacks.

Payment security solutions and services are deployed across various industry verticals, including retail; travel and hospitality; IT and telecom; healthcare; education; media and entertainment; and others. The education vertical is expected to grow at the highest CAGR during the forecast period. However, the retail vertical is expected to have the largest market size in 2017, as retailers are using various interesting ways such as, offers and discounts to attract customers for online shopping. Therefore, the adoption of the payment security solutions is increasing in the retail sector.

On the basis of regions, the global payment security market has been segmented into North America, Europe, Asia Pacific (APAC), Middle East and Africa (MEA), and Latin America to provide a region-specific analysis. The North American region, followed by Europe, is expected to be the largest revenue-generating region for payment security service vendors in 2017. In the developed economies of the US and Canada, there is a high focus on innovations obtained from Research and Development (R&D) and payment security technologies. The APAC region is expected to be the fastest-growing region in the market. The growth in this region is primarily driven by the increasing adoption of advanced payment technologies within organizations to perform business transactions.

 

 

 

 

Research and Market, dated 1 August 1, 2017
http://www.researchandmarkets.com