PCI DSS Secure Payment
WHAT IS IT:
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes.
The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud.
- Validation of compliance is performed annually or quarterly, by a method suited to the volume of transactions handled
- Self-Assessment Questionnaire (SAQ) — smaller volumes
- External Qualified Security Assessor (QSA) — moderate volumes
- Firm-specific Internal Security Assessor (ISA) — larger volumes; involves issuing a Report on Compliance
HOW DOES IT WORK:
The PCI Data Security Standard specifies twelve requirements for compliance, organized into six logically related groups called “control objectives”. The six groups are:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Each version of PCI DSS (Payment Card Industry Data Security Standard) has divided these six requirements into a number of sub-requirements differently, but the twelve high-level requirements have not changed since the inception of the standard. Each requirement/sub-requirement is additionally elaborated into three sections.
- Requirement Declaration: It defines the main description of the requirement. The endorsement of PCI DSS is done on the proper implementation of the requirements.
- Testing Processes: The processes and methodologies carried out by the assessor for the confirmation of proper implementation.
- Guidance: It explains the core purpose of the requirement and the corresponding content which can assist in the proper definition of the requirement.
The twelve requirements for building and maintaining a secure network and systems can be summarized as follows:
- Installing and maintaining a firewall configuration to protect cardholder data. The purpose of a firewall is to scan all network traffic, block untrusted networks from accessing the system.
- Changing vendor-supplied defaults for system passwords and other security parameters. These passwords are easily discovered through public information and can be used by malicious individuals to gain unauthorized access to systems.
- Protecting stored cardholder data. Encryption, hashing, masking and truncation are methods used to protect card holder data.
- Encrypting transmission of cardholder data over open, public networks. Strong encryption, including using only trusted keys and certifications reduces risk of being targeted by malicious individuals through hacking.
- Protecting all systems against malware and performing regular updates of anti-virus software. Malware can enter a network through numerous ways, including Internet use, employee email, mobile devices or storage devices. Up-to-date anti-virus software or supplemental anti-malware software will reduce the risk of exploitation via malware.
- Developing and maintaining secure systems and applications. Vulnerabilities in systems and applications allow unscrupulous individuals to gain privileged access. Security patches should be immediately installed to fix vulnerability and prevent exploitation and compromise of cardholder data.
- Restricting access to cardholder data to only authorized personnel. Systems and processes must be used to restrict access to cardholder data on a “need to know” basis.
- Identifying and authenticating access to system components. Each person with access to system components should be assigned a unique identification (ID) that allows accountability of access to critical data systems.
- Restricting physical access to cardholder data. Physical access to cardholder data or systems that hold this data must be secure to prevent the unauthorized access or removal of data.
- Tracking and monitoring all access to cardholder data and network resources. Logging mechanisms should be in place to track user activities that are critical to prevent, detect or minimize impact of data compromises.
- Testing security systems and processes regularly. New vulnerabilities are continuously discovered. Systems, processes and software need to be tested frequently to uncover vulnerabilities that could be used by malicious individuals.
- Maintaining an information security policy for all personnel. A strong security policy includes making personnel understand the sensitivity of data and their responsibility to protect it.
3D Secure Payment
WHAT IS IT:
Payment “3D Secure”, “Verified by Visa” or “SecureCode” is a security system for online card payments.
Specifically, this system certifies the identity of the buyer during the purchase process, ensuring the protection of payment information during the operation. That is, it guarantees that the user is identified and credited as the real cardholder.
Helps ensure payments are made by the rightful account owner, so online purchases are more secure. Its goal is that your online transactions are as safe, fast and convenient as the purchases you make in a store.
You get an extra layer of security to protect your identifier and your online shopping experience.
HOW DOES IT WORK:
3D Secure is a three-part process (hence the name), which are:
- The ecommerce that sells the product or service.
- The “buyer”, which actually refers to the bank of the user who is making the purchase.
- And the card issuer (like Visa or MasterCard)
The system transfers information between the ecommerce and the issuer of the card of the user who makes the purchase. The information transferred is made up of a history of data from other previous purchases made by the user. The more information transmitted, the more security. This is a quick and unnoticeable process for the buyer.
This service is offered only by some of the most important companies in terms of payments; like Visa or Mastercard.