PCI DSS

Just attended a PCI-DSS workshop organized by VISA, wow, sure was worth it.  Have read the PCI-DSS docs a number of times but the whole classroom experience was very valuable.

Some important items worth noting:

  • The idea behind the PCI program is to “Render the credit card data unreadable”, they way you could accomplish is: encrypting, hashing, truncation.
  • PCI DSS – Is the standard itself
  • AIS – Is the enforcement program
  • Data that can never be stored, unless you are a credit card issuer:
    • Mag-stripe data
    • CVV2
    • PIN/PIN Block
  • As per the requirements, you must notify your acquirer of a possible breach within 24 hours
  • PCI DSS has about 230 requirements
  • PCI DSS is based on fundamental data security practices:
    1. Data controls
    2. Network controls
    3. System level controls
    4. Application controls (Code reviews, app testing)
    5. Policies
    6. Physical Controls
  • VISA is moving PABP from “best Practices” into a formal security starndard managed by the PCI SSC as the Payment Application Data Security Standard (PA-DSS)
  • PCI Security Standards Council, launched in September 2006, is a global forum for the ongoing development and enhancement of security standards for account data protections, including the PCI DSS