Click for next page ( 8


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 7
PCI COMPLIANCE Compliance Requirements Payment Card and Data The International Organization for Standardiza- tion (ISO) presents the standards for the characteris- tics of payment cards, including the physical size, how they are to be embossed, the characteristics of the magnetic stripe, and the location of the tracks of data included on the magnetic stripe. Printed on the card, but not included in the en- coded data, is a Card Verification Value (CVV) (see Note: CVV2 card authentication value 2 (Visa), Figure 4). The printed code (not embossed) is defined CID card identification number (AMEX and Discover), differently by the card brands, and is possibly printed and CVC2 card validation code 2 (MasterCard). in different locations. AMEX prints a four-digit code Figure 4 Card verification value locations. on the front of the card while the other card brands print the code on the signature side (magnetic stripe side) of the card. Risk Management and Legal The magnetic stripe contains up to three tracks While risk management and legal are two sepa- of encoded data. rate entities that may exist within an airport organi- Track 1 was developed by the International Air zation, they may be outsourced functions as well. Transportation Association (IATA) for in- The importance of these functions working closely tended use in the airline industry for ticketing together to ensure PCI DSS compliance is consid- and reservations. ered in preparing contracts and in managing liabil- Track 2 was developed by the American ity and insurance perspectives. Bankers Association (ABA) for the intended The risk management role generally concen- use of payment cards for financial transactions. trates on costs and loss potentials. The consideration Track 3 was developed by the thrift industry that PCI DSS non-compliance or security breaches and is not commonly used and sometimes is can impact the airport with significant fees, penal- not even present on the magnetic stripe. ties, and recovery costs provides an incentive for this Table 1 identifies the key data elements encoded role to engage in the PCI DSS program. within each track. Table 1 General magnetic stripe track data. No. of Character Track Characters Type Element 1 Element 2 Element 3 Element 4 1 79 Alpha- Primary Name (26) Additional Data Discretionary numeric Account No. (Expiration Date Data (Card (PAN) (19) (4)/Service Brand Code (3)) discretion) 2 40 Numeric PAN (19) Additional Data Discretionary Data (Expiration Date (Card Brand (4)/Service discretion) Code (3)) 3 107 Numeric PAN (19) Additional Data Discretionary Data (17 fields, some (5 fields, some optional) optional) NOTE: The table does not include the "start and end sentinels," "field separators," "format code," or "longitudinal redundancy check character." The numbers in parentheses indicate the maximum number of characters for the element. 7

OCR for page 7
A more detailed chart of the magnetic stripe track OBJECTIVE 1: BUILD AND MAINTAIN A SECURE data elements is available in Appendix A of this NETWORK document. The discretionary data varies by card brand and what is included is optional. The data may in- Requirement 1: Install and maintain a firewall clude a PIN verification key indicator (PVKI), PIN configuration to protect cardholder data. verification value (PVV), CVV, or card verification Maintain up-to-date diagrams of all current net- code (CVC) (5). works with all connections to cardholder data Not all data available on the payment card data including any wireless networks. track is permitted to be stored in a local database (see Ensure that each Internet connection has a Objective 2, Requirement 3 in the Requirements firewall. section below). Only the primary account number Establish a formal process for approving and (PAN), the cardholder name, the service code, and the testing all network connections and changes expiration date are eligible for storage. None of the to the firewall and router configurations. discretionary data, including the validation or verifi- Document explanation of groups, roles, and cation codes, PIN, or PIN block should be included in responsibilities for logical management of the electronic storage of cardholder data. Addition- networks and network components. ally, where the PAN is displayed in a visible format, Review firewall and router rule sets on a it should be masked so that only the first six digits frequent basis (at least every 6 months). and/or the last four digits are identifiable (6 ). Restrict firewall configuration connection be- tween entrusted networks and any system com- PCI DSS Requirements ponents in the cardholder data environment. The PCI DSS is established as a set of objectives Requirement 2: Do not use vendor-supplied and requirements for any organization using payment defaults for system passwords and other security card(s) or cardholder information to conduct busi- parameters. ness operations. The requirements are not just simple guidelines but are a mandatory set of expected meth- OBJECTIVE 2: PROTECT CARDHOLDER DATA ods and processes that not only must be operational, Requirement 3: Protect stored cardholder data. but also validated as operational in the business. The Requirement 4: Encrypt transmission of card- PCI-Council defines cardholder data as the full mag- holder data across open, public networks. netic stripe (which cannot be stored) or the PAN plus any of the following: Use strong cryptography and security proto- Cardholder name, cols such as secure socket layer (SSL) and Expiration date, and transport layer security (TLS) or Internet Pro- Service code. (7) tocol Security (IPSEC) during transmission over open networks. There are six objectives of the PCI DSS: Use strong encryption for authentication and 1. Build and maintain a secure network, transmission on wireless networks that trans- 2. Protect cardholder data, mit cardholder data or connect to the cardholder 3. Maintain a vulnerability management data environment. program, Never send unencrypted PAN by end-user mes- 4. Implement strong access control measures, saging technologies (email, instant messag- 5. Regularly monitor and test networks, and ing, or chat). 6. Maintain an information security policy. OBJECTIVE 3: MAINTAIN A VULNERABILITY MAN- Each of these objectives includes a set of require- AGEMENT PROGRAM ments that, when implemented, enables the business Requirement 5: Use and regularly update anti- or organization to meet the objective and comply virus software. with payment card information security. The follow- ing list of requirements includes further explanation Deploy anti-virus software on all systems. from PCI experts as a part of an interview process Ensure that all anti-virus programs are capable conducted by the research team, and, where provided, of detecting, removing, and protecting against includes any specific comments related to airports. all known types of malicious software. 8

OCR for page 7
Ensure that all anti-virus mechanisms are cur- OBJECTIVE 5: REGULARLY MONITOR AND TEST rent, active, and generate audit logs. NETWORKS Requirement 6: Develop and maintain secure Requirement 10: Track and monitor all access systems and applications. to network resources and cardholder data. Ensure all system components and software Establish a process for linking all access to have the latest vendor-supplied security patches system components to each individual user. (applicable to purchased software) installed. Synchronize all critical system clocks and Establish a process to identify newly discov- times. ered security vulnerabilities. Review system components logs daily. Have in place and follow change control pro- Secure audit trails to prevent tampering: cedures for all changes to system components, limit visibility of audit trails to those with a including: job-related need, documentation of impact, protect audit trail files from unauthorized management sign-off by appropriate parties, modifications, test operational functionality, and back up audit trail files to a centralized log back-out procedures. server or media difficult to alter, OBJECTIVE 4: IMPLEMENT STRONG ACCESS CON- use file integrity monitoring or change detec- TROL MEASURES tion software on logs to generate alerts for any data changes. Requirement 7: Restrict access to cardholder data by business need-to-know. Requirement 11: Regularly test security systems and processes. Limit access to system components and card- holder data to only those individuals whose jobs OBJECTIVE 6: MAINTAIN A SECURITY POLICY require such access. Requirement 12: Maintain a policy that ad- Requirement 8: Assign a unique ID to each per- dresses information security for employees and son with computer access. contractors. Assign a unique username/password before Implement and maintain policies and proce- allowing them to access system components dures to manage service providers if the airport or cardholder data. shares cardholder data with service providers. Establish, publish, maintain, and disseminate a Requirement 9: Restrict physical access to card- security policy that incorporates the following: holder data. all PCI DSS requirements, Shred, incinerate, or pulp hardcopy cardholder an annual process to identify threats and data. vulnerabilities with an annual formal risk Render electronic cardholder data unrecov- assessment, and erable. an update of the process in the event of secu- Monitor physical locations of cardholder data rity environment changes. environments and limit access to only individ- Develop daily operational security procedures uals with access privileges--use of video cam- consistent with requirements. eras and access control mechanisms. Implement a formal security awareness pro- Restrict physical access to wireless access gram to make all employees aware of the im- points, gateways, and handheld devices. portance of cardholder data security: Store media back-ups in a secure location, educate employees upon hire, preferably an off-site facility such as an alter- set up an annual education effort for all nate or back-up site or commercial storage employees, and facility (include security review at least on an require that employees acknowledge that annual basis). they have read and understood the airport's Physically secure paper and electronic media security policy and procedures on an annual that contain cardholder data. basis. 9

OCR for page 7
PCI DSS Hierarchy Objectives established to ensure payment card PCI DSS Objectives information security - DSS Compliance. The Requirements for each Objective establish the PCI DSS Requirements deliverable that must be achieved for DSS Compliance. Validation Requirements have been met. Business / The Business, dependent on the use of Payment Cards or touch-points Organization of cardholder data, is responsible to meet PCI DSS compliance. (Airport) A Business may act as a Merchant using Payment Cards for receipt Service Merchant of payment, or as a Service Provider where Payment Cards are used Provider on behalf of other Merchants, Service Providers, or both. Payment Card Brands enforce the compliance standards and Payment Card establish their definitions, fees and penalties, and compliance Brand deadlines. Validation Payment Card Brands define the criteria for PCI DSS PCI DSS Level Compliance levels for businesses/organizations and the Criteria Method / Requirement method to be used for validating the requirements at each level. Figure 5 Hierarchy of PCI DSS validations. Understanding the PCI DSS requirements pro- Merchant Classification--Level Criteria vides a first step to considering the impact on the Tables 2a2e list by card brand the generally airport business. However, the ability to achieve com- defined criteria for merchant-level assignment and pliance still involves several factors. The business the validation requirements at each level. Specific operation (merchant, service provider, or both), the qualifications or conditions can be obtained from the card brands utilized by the business, and the criteria source listed for each table. defined by the card brand applied to the business pro- vide the basis for determining how the PCI DSS re- Service Provider Classification--Level Criteria quirements will be validated. See Figure 5. Whether a business is a merchant or a service Tables 3a3e list by card brand the generally provider, the use of a payment card or payment card- defined criteria for service provider-level assign- holder data in business operations requires a respon- ment and the validation requirements at each level. sibility to meet PCI DSS compliance requirements. Specific qualifications or conditions can be obtained Each classification of business will then be subject from the source listed for each table or at the card to the criteria established by the payment card brand brand website. that is used by the business to further determine the validation requirements that must be followed to Compliance Deadlines gain compliance. In the sections below, it should be noted that many The deadlines for compliance validation are also merchant classification levels and service provider subject to the discretion of the card brands and may classification levels indicate that a self-assessment even vary by merchant- or service provider-level or by can be conducted. This self-assessment is based on the type of validation requirement. With the changing the number of transactions that are conducted annu- dynamics of deadline dates, there are no date require- ally. Additionally, the merchant or service provider ments included in this document and deadlines should can download the PCI SAQ from the PCI-Council be verified through card brand PCI-knowledgeable website. representatives. 10

OCR for page 7
Table 2a Criteria for merchant-level assignment: Visa. Level Criteria Validation Requirements 1 Merchants processing over 6 million Visa trans- 1. Annual Report on Compliance (ROC) by actions annually (all channels) or Global mer- Qualified Security Assessor (QSA) chants identified as Level 1 by any Visa region 2. Quarterly network scan by Approved Scanning Vendor (ASV) 3. Attestation of Compliance Form 2 Merchants processing 1 million to 6 million Visa 1. Annual Self-Assessment Questionnaire (SAQ) transactions annually (all channels) 2. Quarterly network scan by ASV 3. Attestation of Compliance Form 3 Merchants processing 20,000 to 1 million Visa 1. Annual SAQ e-commerce transaction annually 2. Quarterly network scan by ASV 3. Attestation of Compliance Form 4 Merchants processing less than 20,000 Visa 1. Annual SAQ recommended e-commerce transactions annually and all other 2. Quarterly network scan by ASV if applicable merchants processing up to 1 million Visa 3. Compliance validation requirements set by transactions annually Acquirer SOURCE: Reference 8. Table 2b Criteria for merchant-level assignment: MasterCard. Level Criteria Validation Requirements 1 Merchants that have suffered a hack or an attack 1. Annual on-site review (qualified reviewer that resulted in an account data compromise conditions must be met) Any Merchant having greater than 6 million total 2. Quarterly network scan by Approved Scanning combined MasterCard and Maestro transactions Vendor (ASV) annually Any merchant meeting the Level 1 criteria of Visa Any merchant that MasterCard, in its sole dis- cretion, determines should meet the Level 1 merchant requirements to minimize risk to the system 2 Any Merchant with greater than 1 million but 1. Annual on-site review at Merchant discretion less than or equal to 6 million total combined (qualified reviewer conditions must be met) MasterCard and Maestro transactions annually Any Merchant meeting the Level 2 criteria of Visa 2. Self Assessment required annually (qualified reviewer conditions must be met) Any Merchant meeting the Level 2 criteria of Visa 3. Quarterly network scan by ASV 3 Merchants processing greater than 20,000 com- 1. Self Assessment required annually (qualified bined MasterCard and Maestro e-commerce trans- reviewer conditions must be met) actions annually but less than or equal to 1 million combined MasterCard and Maestro e-commerce transaction annually Any merchant meeting the Level 3 criteria of Visa 2. Quarterly network scan by ASV 4 All other Merchants 1. Self Assessment required annually (qualified reviewer conditions must be met) 2. Quarterly network scan by ASV if applicable SOURCE: Reference 9. 11

OCR for page 7
Table 2c Criteria for merchant-level assignment: JCB. Level Criteria Validation Requirements 1 Merchants processing over 1 million JCB trans- 1. Annual on-site review by Qualified Security actions annually, or compromised merchants Assessor (QSA) 2. Quarterly network scan by Approved Scanning Vendor (ASV) 2 Merchants processing less than 1 million JCB 1. Annual Self-Assessment Questionnaire (SAQ) transactions annually 2. Quarterly network scan by ASV SOURCE: Reference 10. Table 2d Criteria for merchant-level assignment: AMEX. Level Criteria Validation Requirements 1 Merchants processing over 2.5 million American 1. Annual Report on Compliance (ROC) by Express transactions annually or any Merchant Qualified Security Assessor (QSA) that American Express otherwise deems a Level 1 2. Quarterly network scan by Approved Scan- ning Vendor (ASV) 2 Merchants processing 50,000 to 2.5 million 1. Annual Self-Assessment Questionnaire (SAQ) American Express transactions annually or any 2. Quarterly network scan by ASV Merchant that American Express deems Level 2 3 Merchants processing less than 50,000 American 1. Annual SAQ Express transactions annually 2. Quarterly network scan by ASV SOURCE: Reference 10. Table 2e Criteria for merchant-level assignment: Discover. Level Criteria Validation Requirements N/A Merchants are currently not categorized into 1. Quarterly Network Scan by ASV and one of levels based on transaction volume. Discover the following: takes a "risk based approach" for validating A. Annual on-site review by QSA-PCI DSS compliance Assessment B. Annual Self Assessment Questionnaire SOURCE: Reference 10. Table 3a Criteria for service provider-level assignment: Visa. Level Criteria Validation Requirements 1 VisaNet processors or any service provider 1. Annual on-site PCI Data Security Assessment that stores, processes and/or transmits over by Qualified Security Assessor (QSA) 300,00 Visa transactions annually 2. Quarterly Network Scan by Approved Scanning Vendor (ASV) 2 Any service provider that stores, processes and/or 1. Annual PCI Self-Assessment Questionnaire transmits less than 300,000 Visa transactions 2. Quarterly network scan by ASV annually SOURCE: Reference 11. 12

OCR for page 7
Table 3b Criteria for service provider-level assignment: MasterCard. Level Criteria Validation Requirements 1 All Third-Party Processors (TPPs) 1. Annual on-site PCI Data Security Assessment by Qualified Security Assessor (QSA) All Data Storage Entities (DSE) that store, transmit, 2. Quarterly network scan by Approved Scanning or process greater than 300,000 total combined Vendor (ASV) MasterCard and Maestro transactions annually 2 All DSEs that store, transmit, or process less 1. Annual PCI Self-Assessment Questionnaire than 300,000 total combined MasterCard and 2. Quarterly network scan by Approved Scanning Maestro transactions annually Vendor (ASV) SOURCE: Reference 12. Table 3c Criteria for service provider-level assignment: JCB. Level Criteria Validation Requirements 1 All Third-Party Processors (TPPs) Undefined SOURCE: Reference 13. Table 3d Criteria for service provider-level assignment: AMEX. Level Criteria Validation Requirements 1 All Third-Party Processors (TPPs) 1. Annual on-site review by Qualified Security Assessor (QSA) 2. Quarterly network scan by Approved Scanning Vendor (ASV) SOURCE: Reference 13. Table 3e Criteria for service provider-level assignment: Discover. Level Criteria Validation Requirements N/A All Third-Party Processors (TPPs) and Payment 1. Quarterly Network Scan by ASV and one of Service Providers (PSPs) the following: A. Annual on-site review by QSA-PCI DSS Assessment B. Annual Self Assessment Questionnaire SOURCE: Reference 13. 13