A Quick Intro to PCI DSS (Payment Card Industry Data Security Standard)

Author: Joseph Jachimiec, Security Administrator

With over 9,300 security breaches recorded since 2005, and a whopping 10.4 billion records estimated stolen (source: privacyrights.org), it’s essential for businesses to follow a reliable security framework to guide their information security programs.

One such framework is the Payment Card Industry Data Security Standard (PCI DSS).

In this post, we’ll take a quick look at how PCI DSS started. We’ll also define “cardholder data” and touch on the 12 requirements of the standard.

PCI DSS Overview and History

PCI DSS was introduced in 2004 by the five major credit card companies: American Express, Discover Financial Services, JCB, MasterCard, and Visa.

Before joining forces, each company had internal security programs to combat rampant credit card fraud and breaches. They formed the Payment Card Industry Security Standards Council (PCI SSC) to establish a common standard. Additionally, they needed to solve the interoperability problems of individual programs.

From this group, the PCI Data Security Standard was born. It’s aim? To reduce credit card fraud and to give guidance for controls around cardholder data. To this day, the PCI Council acts as the governing body for the PCI Standard.

PCI DSS has been through many iterations since version 1.0 in 2004. Major updates to the standard were released in October 2010 (version 2.0) and November 2013 (version 3.0). At the time of this writing, version 3.2.1 is the most current, released in May 2018.

The PCI DSS applies to any entity that accepts, processes, stores, or transmits cardholder data, including merchants and service providers.

What is Cardholder Data?

In short, cardholder data (and sensitive authentication data) is the good stuff that thieves are after. Here’s a breakdown from the version 3.2.1 documentation:

Table image of PCI DSS cardholder data and sensitive authentication data
Source: Payment Card Industry (PCI) Data Security Standard – Requirements and Security Assessment Procedures, Version 3.2.1, May 2018, page 7

Interesting fact: although PCI DSS permits cardholder data storage, sensitive authentication data storage is not allowed, even if encrypted.

To show where this data lives on a typical credit card, take a look at this image from the PCI DSS Quick Reference Guide:

Image of credit card front and back showing types of data for PCI DSS
Source: PCI DSS Quick Reference Guide – Understanding the Payment Card Industry Data Security Standard version 3.2.1, page 11

The PCI DSS Requirements

The PCI Data Security Standard breaks down into 12 compliance requirements within six goals:

Table image of PCI DSS goals and requirements
Source: PCI DSS Quick Reference Guide – Understanding the Payment Card Industry Data Security Standard version 3.2.1, page 9

As you can see, each requirement is a significant security undertaking for any company. When met though, these requirements mirror security best practices, protect cardholder/sensitive authentication data, and lead toward PCI DSS compliance and certification.

The PCI DSS documentation lays out guidance steps for each requirement. It also unveils the testing procedures that the PCI Qualified Security Assessor (PCI QSA) performs to confirm the requirements are in place. Consider it your PCI cheat sheet!

Conclusion

At Nahan, PCI DSS is just one of the security frameworks that guide our information security program. We’re proud to be PCI Compliant and Certified since 2016. Our annual PCI QSA audit verifies that we’re meeting all PCI DSS requirements to protect cardholder data.

To learn more about our PCI DSS compliance and to see our Attestation of Compliance, contact us today.

Joseph Jachimiec is a security, IT, and marketing professional. As the Security Administrator at Nahan, he heads up our information security program and is the go-to guy for our customer/third-party security audits and PCI, SOC 2, and HIPAA compliance initiatives. In his spare time, he dreams about what it would be like to have more spare time.

Image by TheDigitalWay from Pixabay

What is Information Security?

Author: Joseph Jachimiec, Security Administrator

When I ask any normal, non-security person, “What is information security?” I get answers like this:

  • “Information security is protecting information,” or
  • “It’s when you defend data from hackers,” or even
  • “Oh, that’s IT stuff.”

None of these answers are wrong. Well, maybe “that’s IT stuff.” A little.

The best definition of information security comes from my friend and security evangelist Evan Francen, and it’s my favorite.

In his book, UNSECURITY: Information security is failing. Breaches are epidemic. How can we fix this broken industry? he writes:

“Information security is managing risks to the confidentiality, integrity, and availability of information using administrative, physical, and technical controls.”

I like this because it’s clear, complete, and best of all, actionable.

Let’s unpack his definition.

Managing Risks

Risk management is a pretty big topic, so we’ll save that discussion for another day. For now, notice that Evan didn’t say eliminating risks. He said managing risks.

It’s impossible to eliminate 100% of risks. There’s always some risk potential with information security, like in life. The key is awareness of the actual risks involved so you can intelligently manage, reduce, and accept your risk exposure.

Confidentiality, Integrity, and Availability

The Confidentiality, Integrity, and Availability Triad (aka the CIA Triad) is a foundational security model for protecting and working with information. Use it as a guide when building your information security programs, policies, and procedures.

Confidentiality means keeping the information secret from unauthorized disclosure. Only authorized parties should have access to the information.

Integrity means that the information is accurate and hasn’t been altered by unauthorized methods.

Availability means the information is accessible to authorized users when it’s needed.

To make this CIA concept work, create security harmony based on your business objectives. If you keep the information locked up, the right people won’t have access to the data they need. If you mess with the integrity of the data, who cares if it’s available? It’s no longer accurate or trustworthy at that point. And if the data is open to everyone, confidentiality goes out the window.

The best approach is to balance the push and pull of your business needs when working with the confidentiality, integrity, and availability of data. How? By using controls.

Administrative, Physical, and Technical Controls

Our favorite definition of information security continues with controls, namely the administrative, physical, and technical controls used to manage risk to information.

Administrative controls are the policies, procedures, standards, and training relating to information security. Here’s a shortcut to remember this: think documentation.

Physical controls are the easiest to understand because we use them every day at home, in the car, and at work or school. These are the door locks, keys/access cards, surveillance cameras, and alarm systems that protect people, property, and data.

Technical controls are what we first think of when it comes to information security. Passwords, firewalls, and anti-virus software fit into this category. Those are great, but many businesses fall into the trap of relying only on technical controls. Not only is this an expensive mistake, but as we saw with the CIA Triad, it’s a balance of the three controls that works best.

Conclusion

Why does all this information security stuff matter? Because Nahan cares about your data as much as you do.

We have administrative, physical, and technical controls in place to protect the confidentiality, integrity, and availability of your data, and we’re always improving. To learn more about our information security processes see our security section and contact us today about your next print project’s security needs.

Joseph Jachimiec is a security, IT, and marketing professional. As the Security Administrator at Nahan, he heads up our information security program and is the go-to guy for our customer/third-party security audits and PCI, SOC 2, and HIPAA compliance initiatives. In his spare time, he dreams about what it would be like to have more spare time.

Image by Andrew Martin from Pixabay