These days, if you are building an app that accepts payments, payment providers that you can potentially use to manage payments (e.g. Paypal or Stripe) offer services such that you don’t need to know about PCI DSS. They do an incredible job of abstracting all that from you. So what is PCI DSS and what does it mean? Payment Card Industry Data Security Standard (PCI DSS) compliance is required by merchants (start-ups or enterprises) that handle credit card data. PCI DSS compliance by merchants ensures security of the card holder data. This article explores what PCI DSS compliance is and the requirements that vendors need to meet in order to be PCI DSS certified.

Introduction

As the world moved online to purchase services, there was a substantial increase in online credit card transactions. The large volume of credit card transactions, put the cardholder data at risk and increased the probability of credit card fraud. Hence around 2006 the Payment Card Industry Security Standards Council (PCI SSC) was formed with the goal of putting in place processes to ensure safety of card holder data. PCI SSC is an administrative entity composed of MasterCard, American Express, Visa amongst others, that developed the PCI DSS standard and are responsible for governance and continued development of the standard. The PCI DSS standard is used to handle credit cards from all major card providers and is composed of 12 mandatory requirements that a merchant accepting online credit card transactions must comply with to be PCI DSS certified. To further ensure safety of card holder data, the governing body has mandated that a merchant’s PCI DSS compliance status must be validated quarterly or annually relative to the volume of the merchant’s transactions.

PCI DSS compliance requirements

For a business to be PCI DSS compliant, it needs to ensure it’s systems meet the following 12 criteria.

NoRequirementDescription
1Install and maintain a firewall configuration to protect cardholder dataTo ensure a secure network is maintained with,
correctly configured Firewalls with  
appropriate rules to incoming and outgoing traffic
standardised process to toggle access
To be renewed bi-annually
2Do not use vendor-supplied defaults for system passwords and other security parametersFocusing on all organisation hardware such as
servers
web servers
access points
or network devices
cannot be accessed using default username and password. 
In addition maintain,
inventory of all hardware
documentation to removing default settings
3Protect stored cardholder dataTo ensure safety of cardholder data, 
Follow the rules on how primary account numbers are displayed
Know the data being stored as well as
It’s physical location and
Retention period, also ensure the data
Is encrypted using industry accepted algorithms
Lastly, have a well defined encryption key management process
4Encrypt transmission of cardholder data across open, public networksEnsure the safety of card holder data such that
Data being transmitted over the network is encrypted
Data is transmitted over a secure protocol e.g. TLS, SSH
5Use and regularly update anti-virus software or programsAny device whether used onsite or remotely, is susceptible to malware. Hence, ensure
All employee devices have anti-virus software installed
Anti-virus solution is updated regularly
6Develop and maintain secure systems and applicationsPatch all systems within the card data environment, including,
Operating systems
Firewalls,
Routers,
SwitchesApplication software
DatabasesPOS terminals (if any?) (applies to branch)
7Restrict access to cardholder data by business need to knowImplement role based access control (RBAC) to toggle access to card data and systems.
Maintain a list of users who need to access cardholder data. The list should have
a clear definition of the role,
it’s existing privilege level
It’s expected privilege level 
8Assign a unique ID to each person with computer accessThis requirement talks about ensuring, every user
has a unique ida complex password
have 2 factor authentication for remote admin access
9Restrict physical access to cardholder dataThis requirement focuses on the physical security of the data centre such that
unauthorised persons cannot gain entry
10Track and monitor all access to network resources and cardholder dataEnsure the system has sufficient logging mechanisms in place to,
log system events to server
give the capability to review them to look for anomalies
construct an audit trail of records that meet a pre-defined standard for the info contained
PCI DSS requires this data to be stored securely and must not be stored for more than a year.
11Regularly test security systems and processesThis mandates the following activities,
Wireless analyser to scan for all authorised and unauthorised access points each quarter
External IPs and domains exposed in CDE to be scanned by a PCI approved scanning vendor
Internal vulnerability scans to be done quarterly
External IPs to go through Applications and Network penetration test annually or when there is a significant change
12Maintain a policy that addresses information security for all personnelImplement, maintain, review and review information security policy for all employees and other relevant parties. Also perform,
Annual formal risk assessment
User awareness training
Employee background checks
Incident management

Summary

In it’s current state while the Mesh can satisfy most requirements from an infrastructure standpoint, the Mesh was built as an internal marketplace for API as opposed to handling credit card transactions. 

If you find any of my posts useful and want to support me, you can buy me a coffee 🙂

https://www.buymeacoffee.com/bhumansoni

While you are here, maybe try one of my apps for the iPhone.

Products – My Day To-Do (mydaytodo.com)

Have a read of some of my posts on AWS

Deploy NodeJS, Typescript app on AWS Elastic beanstalk – (mydaytodo.com)

How to deploy spring boot app to AWS & serve via https – My Day To-Do (mydaytodo.com)

Some of my posts on Javascript …

What is Javascript event loop? – My Day To-Do (mydaytodo.com)

How to build a game using Vanilla Javascript – My Day To-Do (mydaytodo.com)

Vanilla Javascript: Create Radio Buttons (How-To) – Bhuman Soni (mydaytodo.com)

Java Spring Boot & Vanilla Javascript solution – My Day To-Do (mydaytodo.com)

Vanilla Javascript: Create Radio Buttons (How-To) – Bhuman Soni (mydaytodo.com)

Categories: fintech

0 Comments

Leave a Reply

Avatar placeholder