Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

3/30/2017
01:35 PM
Rob Martin
Rob Martin
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Payment Card Industry Security Compliance: What You Need to Know

A quick refresher on all the different PCI SSC security standards that are relevant for organizations that accept electronic payments.

In the dynamic world of payments, transaction security is of paramount importance. When we speak with our customers and partners, the topic of payment security and Payment Card Industry (PCI) compliance always comes up. Although there is a lot of useful information about payment security available, the industry is also filled with many questions regarding PCI. So, with the latest PCI Data Security Standard update and the release of the latest security standards for payments terminals, now is a great time to provide a quick refresher on PCI compliance and the various security standards merchants need to know.

The PCI Council and its various Security Standards
The Payment Card Industry Security Standard Council (PCI SSC) is a global, open body created to develop, enhance, distribute, and assist with the understanding of security standards for payment security. The council also provides critical tools needed to implement various security standards. Below is a list of all the different security standards from PCI SSC that are relevant for organizations that accept electronic payments.

1. PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) covers the security of the cardholder data environment, the IT systems that process, store, and transmit credit and debit card information. Most merchants are familiar with PCI DSS through their annual assessments. As the threat landscape that merchants and payments providers face is not static, neither are the standards for the protection of the cardholder data environment. PCI SSC has released updates to version 3 (the latest being version 3.2) in response to those evolving threats.

2. PA DSS
The Payment Application Data Security Standard (PA DSS) covers security for payment applications that access cardholder data. A payment application is software that is developed to help merchants process electronic payments, including magnetic stripe, EMV (Europay, MasterCard, and Visa), and contactless transactions. This standard ensures that third-party payment applications properly handle cardholder data and meet industry best practices for secure application development.

3. PCI PTS
The Payment Card Industry PIN Transaction Security (PCI PTS) standard is a set of technical and operational requirements for payment terminals focused on protecting cardholder data. The PCI PTS standard is modular, covering hardware and firmware security requirements to protect against physical, logical, and network tamper attacks. The PCI PTS requirements now include security requirements for open protocols — such as TCP/IP, TLS, Bluetooth, and USB — and the ways cardholder data are read and encrypted through the Secure Reading and Exchange of Data module.

PCI PTS standards are updated on a three-year cycle. Unlike most other PCI standards, PCI PTS does not involve point-in-time assessments. Instead, terminals are submitted to approved third-party labs for evaluation against the then-current PTS version. On approval, a Letter of Approval (LOA) is issued with the validity period for the evaluated version of the specification.

Version 1: LOAs expired April 30, 2014
Version 2: LOAs expire April 30, 2017
Version 3: LOAs expire April 30, 2020
Version 4: LOAs expire April 30, 2023
Version 5: LOAs expire April 30, 2026

Terminal manufacturers can't ship a terminal once the LOA for the terminal has expired; however, repairs and warranty replacements are still allowed. The expiration of a terminal's PCI PTS LOA does not, per se, affect the ability of a merchant to continue to use the terminal. Sunset dates for terminals are set by the individual card brands and PCI, both of which recommend that merchants choose terminals that meet the highest security standards and also meet their specific needs.

4. PCI P2PE
The Payment Card Industry Point-to-Point Encryption (PCI P2PE) standard is a set of security requirements that cover all aspects of a P2PE solution, including the payment terminal, terminal application, deployment, key management, and decryption environment. PCI P2PE validated solutions are the "gold standard" for the protection of cardholder data. Merchants that use PCI P2PE validated solutions receive significantly reduced scope of their PCI DSS assessments through the use of Self-Assessment Questionnaire P2PE. PCI P2PE validated solutions are listed on the PCI SSC website.

Who Needs to Be PCI Compliant?
Accepting electronic payment involves handling of sensitive cardholder information, and keeping it secure needs to be a top priority for businesses that accept, process, or transmit credit card information. In simple terms, if you accept electronic payments for selling goods or services, your business needs to be PCI compliant. Businesses that fail to meet the relevant PCI compliance standards not only put sensitive cardholder data at risk, but they're also subject to heavy fines.

Evolution of PCI Standards
The technology to accept payment is constantly evolving, and so are the ways to protect sensitive customer information, such as credit card details, from cyberthreats. The PCI SSC is constantly working toward improving its security standards to align with the changing needs of the payments industry. The last iteration of the PCI DSS standard expired in October 2015, and a new version, PCI DSS 3.2, will be enforced starting in November. These updates include a number of clarifications, updated guidance, and some new requirements. You can read more about the new version on the PCI Security Council's website.

Related Content:

Dr. Robert Martin serves as Vice President of Security Solutions, Ingenico Group/North America. Dr. Martin is active within several industry security bodies and has been involved in the technical and product end of the payments business since 2000. Prior to joining Ingenico ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4560
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2019-4589
PUBLISHED: 2020-08-03
IBM Cognos Analytics 11.0 and 11.1 is vulnerable to privlege escalation where the "My schedules and subscriptions" page is visible and accessible to a less privileged user. IBM X-Force ID: 167449.
CVE-2020-4328
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 177839.
CVE-2020-4377
PUBLISHED: 2020-08-03
IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 179156.
CVE-2020-4534
PUBLISHED: 2020-08-03
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of UNC paths. By scheduling a task with a specially-crafted UNC path, an attacker could exploit this vulnerability to execute arbi...