What is PCI?

• PCI - Payment Card Industry
  
  
• PCI PA-DSS - Payment Card Industry Payment Application-Data Security Standards
  
  
• PCI DSS - Payment Card Industry Data Security Standard
  
  
• PCI SSC - Payment Card Industry Security Standards Council

PCI is used in multiple contexts to denote Payment Card Industry:

PCI SSC is the Payment Card Industry Security Standards Council that was launched on September 7th, 2006, with the goal of managing the ongoing evolution on the payment card security and compliance.

PCI DSS is the Payment Card Industry Data Security Standard which consists of 12 requirement designed to ensure ALL companies that process, store or transmit credit card information maintain a secure environment.

PCI PA-DSS is the Payment Card Industry Payment Applications-Data Security Standard, consisting of 14 requirements to ensure vendors provide products which support merchant's efforts to maintain PCI DSS compliance and eliminate the storage of sensitive cardholder data.

PCI SSC, PCI DSS, PA-DSS and
Payment Systems Companies

PCI Security Standards Council (PCI SSC)

• Governing organization for the PCI security standards
  • PCI SSC is NOT responsible for enforcement of the PCI Security Standards.
    • Card brands enforce the requirements by imposing penalties, up to an including non-acceptance of credit cards.
      
      
  • Payment Systems companies is a participating organization
    • Advance review of standards and supporting materials before release.

PCI Data Security Standards (PCI DSS)

• Applies to Merchants, Processors, Acquirers, Issuers and Service Providers.
• Payment Systems company Hosted Solutions (i.e. On Demand)
• Payment Systems companies Customers

PCI Payment Applications Data Security Standards (PCI PA-DSS)

• Applies to software vendors of payment applications that store, process or transmit cardholder information for payment authorization or settlement.
  
  
• Some payment systems companies developed products validated against PA-DSS: E.g. BASE24-eps, BASE24, OpeN/2, Postilion, RCS, and others.

Importance of PCI DSS Validation

Why is it important for Payment Systems companies to Provide PA-DSS Validated Applications?

The payment systems companies PA-DSS validated applications provide their customers and potential customers the assurance that their payment applications are developed to meet stringent data protection requirements and enforce a high level of security.

Secure payment applications minimize the potential for security breaches leading to compromises of primary account number (PAN), full track data, card verification codes and values (CAV2, CID, CVC2, CVV20), PINs and PIN blocks, and the damaging fraud resulting from these breaches.

Payment card brands enforce their own PA-DSS related programs, and can set fines or penalties related to use of non-compliant payment applications.

By staying compliant, Payment systems companies are part of a united, global response to fighting payment card data compromise.

Payment Systems Companies

Application Security Compliance

• Payment systems companies may NOT share the PCI PA-DSS Report on Validation (ROV) with customers.
  
  
• Payment systems companies may share the Attestation of Validation (AOV) with customers.
  
  
• Security Engineering will work with customers:-
  
  
  • Advise on Remediation Actions
  • Clarify Requirements and Product Solution
  • Explain Issues to PCI DSS Assessor
  • Meet with customers to discuss PCI Issues
• Custom Software Modifications (CSMs) do not require an external PA-DSS assessment:-
  
  
  • Internal security review will be conducted as part of project to ensure customer will be PCI DSS validated.
    
    
  • Payment Systems companies will provide required evidence that the software development life cycle
    
    (SDLC) was followed for Payment systems companies written CSMs.
    
    The proof of compliance documentation provided should be discussed with the customer during contract negotiations.

How do Payment Systems Companies
Application become PA-DSS Validated

Payment Systems Companies determines if an application being developed meets the criteria for a PA-DSS validation.

Payment systems Companies select a Payment Application-Qualified Security Assessor (PA-QSA) to perform the assessment on the payment application.

Payment systems Companies provides the PA-QSA with relevant payment application documentation, access to a lab environment for testing the application, and provides information on the application and environment.

The PA-QSA assesses the payment applications security functions and features to determine whether the application complies with PA-DSS requirements.

If the PA-QSA determines the payment application is in compliance with the PA-DSS, then the PA-QSA submits their report setting forth their results, opinions and conclusions to the PCI SSC.

The PCI SSC reviews the report submitted by the PA-QSA and confirms or rejects whether the payment application meets all requirements.

When requirements are met, the PCI SSC Council provides an Attestation of Validation and lists the payment application on the List of Validated Payment Applications on the PCI SSC website.

PCI Cardholder Data Storages

[1]These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection of the cardholder data environment.

Additionally, other legislation (e.g., related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data,

Or proper disclosure of a company's practices if consumer related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed or transmitted.

[2]Sensitive authentication data must not be stored after authorization (even if encrypted).

[3]Full track data from the magnetic stripe, magnetic stripe image on the chip, or elsewhere.

PCI DSS helps you connect and share with the people in your life when it comes to secure payment systems or sending them payment.

The social network companies are excited about partnering with credit card companies and partnering with PayPal and all of the different folks in online payments to make their solutions as good as possible, as well as secure data in motion.