ISA_Part-1

avatar
Created by
Patrick Forrest

Cards (196)

  • PCI SSC
    Independent industry standards body providing oversight of the development and management of Payment Card Industry Data Security Standards on a global basis
  • PCI SSC founding payment brands
    • American Express
    • Discover Financial
    • JCB International
    • MasterCard
    • Visa, Inc.
  • PCI Standards
    • PCI DSS
    • PCI PA-DSS
    • PCI P2PE
    • PCI PTS - POI
    • PCI PTS - PIN Security
    • PCI PTS - HSM
    • PCI Card Production
  • PCI DSS
    Covers security of the environments that store, process, or transmit account data
  • PCI PA-DSS
    Covers secure payment applications to support PCI DSS compliance
  • PCI P2PE
    Covers encryption, decryption, and key management requirements for point-to-point encryption solutions
  • PCI PTS - POI
    Covers the protection of sensitive data at point-of-interaction devices and their secure components, including cardholder PINs and account data, and the cryptographic keys used in connection with the protection of that cardholder data
  • PCI PTS - PIN Security

    Covers secure management, processing and transmission of personal identification number (PIN) data during online and offline payment card transaction processing
  • PCI PTS - HSM
    Covers physical, logical and device security requirements for securing Hardware Security Modules (HSM)
  • PCI Card Production
    Covers physical and logical security requirements for systems and business processes
  • PA-DSS
    Applies to third party payment applications that perform authorization and/or settlement
  • Use of a PA-DSS application alone does not guarantee PCI/DSS compliance
  • PA-DSS applications are in scope for PCI/DSS
  • Assessor must validate that payment application is installed per instructions in the PA-DSS Implementation Guide provided by payment application vendor and in a PCI DSS compliant manner
  • Requirements for a PCI P2PE solution
    • Secure encryption of payment card data at the point-of-interaction (POI)
    • P2PE-validated application(s) at the point-of-interaction
    • Secure management of encryption and decryption devices
    • Management of the decryption environment and all decrypted account data
    • Use of secure encryption methodologies and cryptographic key operations, including key generation, distribution, loading/injection, administration and usage
  • Merchants may be able to reduce their PCI DSS scope when using Council-listed P2PE solutions
  • PCI DSS applies to all entities involved in payment card processing, and any entity that stores, processes, or transmits account data
  • PA-DSS and PCI DSS
    Payment applications must facilitate and not prevent PCI DSS compliance
  • P2PE and PCI DSS
    Incorporates requirements from PTS, PCI DSS, PA-DSS, and PCI PIN to protect account data from the point of capture until it reaches the payment processor
  • When properly implemented and maintained, Council-listed P2PE solutions may help reduce work involved during a merchant's PCI DSS assessment
  • PCI PTS
    Requirements apply to: Point of Interaction (POI) devices; Encrypting PIN Pads (EPP); Point of Sale devices (POS); Hardware (or host) Security Modules (HSMs); Unattended Payment Terminals, (UPTs) and non-PIN Entry module
  • PCI PTS program

    Ensures terminals cannot be manipulated or attacked to allow the capture of Sensitive Authentication data, nor allow access to clear-text PINs or Keys
  • Secure Read and Exchange Module (SRED)

    Allows terminals to be approved for the secure encryption of cardholder data as part of the Point to Point Encryption program
  • PCI PIN Security Requirements
    Provide for secure PIN management, processing, and transmission
  • PCI PTS - POI and PCI DSS
    PCI DSS requires that account data be protected both when stored and when transmitted across open, public networks
  • PCI PTS - POI and PCI DSS
    PCI PTS POI validates how POIs protect PIN and account data and manage cryptographic keys
  • PCI PTS - POI and PCI DSS
    PCI PTS POI-approved devices may form part of a PCI DSS-compliant environment
  • PCI DSS prohibits storage of encrypted PIN blocks
  • Procedures for assessing card production facilities are defined and managed by the payment brands, not by PCI SSC
  • Use of a Hardware Security Module is not required by PCI DSS, but may help with handling and managing keys used to protect stored cardholder data
  • Cardholder
    Customer purchasing goods either as a "Card Present" or "Card Not Present" transaction
  • Issuer
    Bank or other organization issuing a payment card on behalf of a Payment Brand (e.g. MasterCard & Visa) or Payment Brand issuing a payment card directly (e.g. Amex, Discover, JCB)
  • Merchant
    Organization accepting the payment card for payment during a purchase
  • Acquirer
    Bank or entity the merchant uses to process their payment card transactions
  • Service Provider
    Business that is not a payment brand, directly involved in the processing, storage or transmission of cardholder data on behalf of another entity
  • Entities often use a third-party service provider to store, process, or transmit cardholder data on their behalf, or to manage components of their CDE
  • Service Provider Examples
    • Transaction Processors
    • Payment Gateways
    • Independent Sales Organizations (ISOs) or External Sales Agents (ESAs)
    • Customer Service functions
    • Remittance processing companies
    • Managed firewall and IDS service providers
    • Web Hosting and Data Center Hosting providers
    • Offsite data storage facilities
  • An entity that provides only public network access (such as a telecommunications company providing just the communication link) is not considered a service provider, as the entity using the communication link is responsible for securing transmissions of data over that link
  • Payment Brand Compliance Programs
    • American Express: Data Security Operating Policy (DSOP)
    • JCB: Data Security Program
    • Discover: Discover Information Security Compliance (DISC)
    • Mastercard: Site Data Protection (SDP)
    • Visa Inc: Cardholder Information Security Program (CISP)
    • Visa Europe: Account Information Security (AIS) Program
  • Payment Brand Compliance Programs include
    • Tracking and enforcement
    • Penalties, fees, compliance deadlines
    • Validation process and who needs to validate
    • Approval and posting of compliant entities
    • Definition of merchant and service provider levels