Professional Documents
Culture Documents
Requirements
The current version of the standard is V2.0 released on 26/10/2010. PCI DSS v2.0 must be adopted by all
organisations with payment card data by 1st January 2011, and from 1st January 2012 all assessments must be under
version 2.0 of the standard. PCI DSS Version 2.0 has two (2) new or Evolving Requirements out of 132 changes.
Remaining changes/enhancements falls under the category of Clarification or Additional guidelines. [2] Table below
summarizes the points from V1.2 01/10/2008[3] and specifies the 12 requirements for compliance, organized into six
logically related groups, which are called "control objectives."
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
Maintain an Information Security Policy 12. Maintain a policy that addresses information security
History
PCI DSS originally began as five different programs: Visa Card Information Security Program, MasterCard Site
Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the
JCB Data Security Program. Each company’s intentions were roughly similar: to create an additional level of
protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process and
transmit cardholder data. The Payment Card Industry Security Standards Council (PCI SSC) was formed, and on 15
December 2004, these companies aligned their individual policies and released the Payment Card Industry Data
Security Standard (PCI DSS).
In September 2006, the PCI standard was updated to version 1.1 to provide clarification and minor revisions to
version 1.0.
Version 1.2 was released on October 1, 2008.[4] Version 1.1 "sunsetted" on December 31, 2008.[5] v1.2 did not
change requirements, only enhanced clarity, improved flexibility, and addressed evolving risks/threats. In August
2009 the PCI SSC announced [6] the move from version 1.2 to version 1.2.1 for the purpose of making minor
corrections designed to create more clarity and consistency among the standards and supporting documents.
validation one day after it had been made aware of a two-month long compromise of its internal systems[29] ; fail to
appropriately assign blame in their blasting of the standard itself as flawed as opposed to the more truthful
breakdown in merchant and service provider compliance with the written standard, albeit in this case having not
been identified by the assessor.
Other, more substantial, criticism lies in that compliance validation is required only for Level 1-3 merchants and may
be optional for Level 4 depending on the card brand and acquirer. Visa's compliance validation details for merchants
state that level 4 merchants compliance validation requirements are set by the acquirer[30] , Visa level 4 merchants
are "Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants
processing up to 1 million Visa transactions annually". At the same time 80% of payment card compromises since
2005 affected Level 4 merchants[31] .
Compliance as a Snapshot
The state of being PCI DSS compliant might appear to have some temporal persistence, at least from a merchant
point of view. In contrast, the PCI Standards Council General Manager Bob Russo has indicated that liabilities could
change depending on the state of a given organization at the point in time when an actual breach occurs.[32]
Costs
Similar to other industries, a secure state could be more costly to some organizations than accepting and managing
the risk of confidentiality breaches. However, many studies have shown that this cost is justifiable.[33]
References
[1] Sidel, Robin (2007-09-22). "In Data Leaks, Culprits Often Are Mom, Pop" (http:/ / online. wsj. com/ article/ SB119042666704635941.
html?mod=sphere_ts). The Wall Street Journal. .
[2] http:/ / grc360. net/ cms/ 2010/ pci-dss-ver-2-0-quick/
[3] PCI DSS - PCI Security Standards Council (https:/ / www. pcisecuritystandards. org/ security_standards/ pci_dss. shtml)
[4] PCI SECURITY STANDARDS COUNCIL RELEASES VERSION 1.2 OF PCI DATA SECURITY STANDARD (https:/ / www.
pcisecuritystandards. org/ pdfs/ pr_080930_PCIDSSv1-2. pdf)
[5] Supporting Documents PCI DSS (https:/ / www. pcisecuritystandards. org/ security_standards/ supporting_documents_home. shtml)
[6] https:/ / www. pcisecuritystandards. org/ pdfs/ statement_090810_minor_corrections_to_standards. pdf
[7] Information Supplement: Requirement 11.3 Penetration Testing (https:/ / www. pcisecuritystandards. org/ documents/
information_supplement_11. 3. pdf)
[8] Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified (https:/ / www. pcisecuritystandards. org/ pdfs/
infosupp_6_6_applicationfirewalls_codereviews. pdf)
Payment Card Industry Data Security Standard 6
[9] Navigating the PCI DSS - Understanding the Intent of the Requirements (https:/ / www. pcisecuritystandards. org/ pdfs/
pci_dss_saq_navigating_dss. pdf)
[10] "PCI DSS Wireless Guidelines" (https:/ / www. pcisecuritystandards. org/ pdfs/ PCI_DSS_Wireless_Guidelines. pdf). . Retrieved
2009-07-16.
[11] https:/ / www. pcisecuritystandards. org
[12] "Don’t Let Wireless Detour your PCI Compliance" (http:/ / www. airtightnetworks. com/ fileadmin/ pdf/ whitepaper/
PCI_Wireless_Whitepaper. pdf). . Retrieved 2009-07-22.
[13] "Walk Around Wireless Security Audits – The End Is Near" (http:/ / www. airtightnetworks. com/ fileadmin/ pdf/ whitepaper/
WP_WalkAroundWireless. pdf). . Retrieved 2009-07-22.
[14] "Webinar on Wireless Security as SaaS by Gartner Analyst John Pescatore" (http:/ / www. airtightnetworks. com/ fileadmin/
content_images/ news/ webinars/ SaaS/ player. html). gartner.com. . Retrieved 2009-04-24.
[15] "Saas offerings for wireless pci compliance" (http:/ / www. infosecurity-us. com/ view/ 9661/
comment-saas-offerings-for-wireless-pci-compliance/ ). . Retrieved 2010-05-25.
[16] "Security SaaS hits WLAN community" (http:/ / www. networkworld. com/ newsletters/ wireless/ 2008/ 040708wireless1. html).
networkworld.com. . Retrieved 2008-04-07.
[17] "New Low-Cost Wireless PCI Scanning Services; New Offerings Satisfy PCI DSS Requirements" (http:/ / newsblaze. com/ story/
2009072205011500038. mwir/ topstory. html). . Retrieved 2009-07-22.
[18] http:/ / www. icrewsecurity. com
[19] "Big-Time Wireless Security - As a Service" (http:/ / www. networkworld. com/ community/ node/ 26755). networkworld.com. . Retrieved
2008-04-08.
[20] "PCI compliance falls short of assuring website security" (http:/ / searchsoftwarequality. techtarget. com/ news/ column/
0,294698,sid92_gci1335662,00. html). . Retrieved 2009-02-15.
[21] Jones, Michael (2009-03-31). "TESTIMONY OF MICHAEL JONES BEFORE THE EMERGING THREATS, CYBERSECURITY, AND
SCIENCE AND TECHNOLOGY SUBCOMMITTEE" (http:/ / www. homeland. house. gov/ SiteDocuments/ 20090331142012-77196. pdf).
Congress of the United States. . Retrieved 2010-07-19.
[22] "Bruce Schneier reflects on a decade of security trends" (http:/ / searchsecurity. techtarget. com. au/ contents/
21998-Bruce-Schneier-reflects-on-a-decade-of-security-trends). . Retrieved 2009-02-15.
[23] Russo, Bob (2009-06-15). "Letter to NRF" (http:/ / www. pcisecuritystandards. org/ pdfs/ statement090615_letter_to_nrf. pdf). PCI Council.
. Retrieved 2010-10-19.
[24] Vijayan, Jaikumar (2009). "Visa: Post-breach criticism of PCI standard misplaced" (http:/ / www. cso. com. au/ article/ 296278/
visa_post-breach_criticism_pci_standard_misplaced). .
[25] "Heartland data breach sparks security concerns in payment industry" (http:/ / www. computerworld. com/ action/ article.
do?command=viewArticleBasic& articleId=9126608). .
[26] McGlasson, Linda (2008-04-04). "Hannaford Data Breach May Be Top of Iceberg" (http:/ / www. bankinfosecurity. com/ articles.
php?art_id=810). BankInfo Security. . Retrieved 2009-01-28.
[27] Goodin, Dan (2009). "TJX suspect indicted in Heartland, Hannaford breaches" (http:/ / www. theregister. co. uk/ 2009/ 08/ 17/
heartland_payment_suspect/ ). .
[28] Spier, Peter (2010-03-22). "The QSA's Perspective: PCI Compliance Risk Abounds" (http:/ / blogs. bankinfosecurity. com/ posts.
php?postID=492). BankInfo Security. . Retrieved 2010-10-19.
[29] Vijayan, Jaikumar (2009-01-04). "PCI security standard gets ripped at House hearing" (http:/ / www. computerworld. com/ action/ article.
do?command=viewArticleBasic& articleId=9130901& intsrc=news_ts_head). Computerworld Security. . Retrieved 2009-05-04.
[30] Visa Merchant levels http:/ / usa. visa. com/ merchants/ risk_management/ cisp_merchants. html
[31] Pastor, Adrian (2009). "A Pentester’s Guide to Credit Card Theft Techniques" (http:/ / 2009. confidence. org. pl/ materialy/ prezentacje/
adrian_pastor_confidence_2009. pdf). .
[32] "Q and A: Head of PCI council sees security standard as solid, despite breaches" (http:/ / www. computerworld. com/ action/ article.
do?command=viewArticleBasic& taxonomyName=Financial& articleId=9078059). . Retrieved 2009-02-15.
[33] "PCI Cost Analysis Report: A Justified Expense" (http:/ / www. solidcore. com/ assets/ PCI_Cost_Analysis. pdf). Solidcore Systems. .
[34] http:/ / www. pcisecuritystandards. org/ security_standards/ ped/ pedapprovallist. html
[35] https:/ / www. pcisecuritystandards. org/ security_standards/ vpa/ vpa_approval_list. html
Payment Card Industry Data Security Standard 7
External links
• PCI DSS Standard (https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml)
• PCI Quick Reference Guide (https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf)
• Online PCI DSS checking tool(free) (http://checkpcidss.com/)
Article Sources and Contributors 8
License
Creative Commons Attribution-Share Alike 3.0 Unported
http:/ / creativecommons. org/ licenses/ by-sa/ 3. 0/