Management, compliance & auditing

An Overview of the Payment Card Industry (PCI)

Irfan Shakeel
November 30, 2016 by
Irfan Shakeel

The payment card industry consists of all the organizations which store, process and transmit cardholder data and carry transactions through debit and credit cards. Many standards are developed to conduct these types of services in a secure way. The well-known standard for this purpose is "Payment Card Industry Data Security Standards."

The Payment Card Industry Data Security Standard is the information security standard for organizations that handle branded credit cards. The standard was created to increase controls around cardholder data to reduce credit card fraud.

The goal of the PCI Data Security Standard (PCI DSS) is to protect cardholder data wherever it is processed, stored or transmitted.

The security controls and processes required by PCI DSS are vital for protecting cardholder account data. However, Merchants and any other service providers involved with payment card processing must never store sensitive authentication data after authorization.

We can protect the transaction process by adopting and following some basic steps:

Build and Maintain a Secure Network:

Previously, theft of financial records required a criminal to enter an organization's business site physically. Today, many payment card transactions use PIN authentication and remote access to do transactions. This made transactions insecure, for that network security controls is introduced that can prevent criminals from virtually accessing payment system networks and stealing cardholder data. We can maintain a secure network by following some common steps:

  • Install and maintain a firewall and router configuration to protect cardholder data

    Establish firewall and router configuration standards that formalize testing whenever configurations change that identifies all connections to cardholder data (including wireless); that use various technical settings for each implementation and build configurations that restrict all traffic from "untrusted" networks and hosts, except for protocols necessary for the cardholder data environment.

  • Do not use vendor-supplied defaults for system passwords and other security parameters

    Always change vendor-supplied defaults before installing a system on the network. This includes wireless devices that are connected to the cardholder data environment or are used to transmit cardholder data.

  • Update all the configuration upon vulnerability exposure

Develop configuration standards for all system components that address all known security vulnerabilities and are consistent with industry-accepted definitions. Update system configuration standards as new vulnerability issues are identified.

Protect Cardholder Data:

Cardholder data refers to any information printed, processed, transmitted or stored in any form on a payment card. Entities accepting payment cards are expected and responsible for protecting cardholder's data and preventing its unauthorized use.

  • Do not store sensitive authentication data after authorization (even if it is encrypted). In general, no cardholder data should ever be stored unless it's necessary to meet the needs of the business.
  • Limit cardholder data storage and retention time to that required for business, legal, and/or regulatory purposes, as documented in your data retention policy.

Maintain a Vulnerability Management Program:

It is the process of continually finding weaknesses in an entity's payment card infrastructure system. This includes security procedures, system design, implementation and internal controls that could be exploited to violate system security policy.

  • Use and regularly update anti-virus software and other programs and ensure that all anti-virus mechanisms are current, actively running, and generating audit logs.
  • Deploy anti-virus software on all systems affected by malicious software (particularly personal computers and servers).

Implement Strong Access Control Measures:

Access control allows merchants to permit or deny the use of physical or technical means to access PAN and other cardholder data. Physical access control locks or restricted the access to paper-based cardholder records or system hardware. While, logical access control permits or denies the use of PIN entry devices, a wireless network, PCs and other devices.

  • Limit access to system components and cardholder data to only those individuals whose job requires such access.
  • Establish an access control system for systems components with multiple users that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed.
  • Ensure proper user identification and authentication management for non-consumer users and render all passwords unreadable during storage and transmission, for all system components, by using strong cryptography.

Regularly Monitor and Test Networks:

Physical and wireless networks are the point that connects all endpoints and servers in the payment infrastructure. Vulnerabilities in network devices and systems provide opportunities to cyber-criminals to gain unauthorized access to payment card applications and cardholder data. To prevent exploitation, organizations must regularly monitor and test networks to find and fix vulnerabilities.

  • Track and monitor all access to network resources and cardholder data.
  • Establish a process for linking all access to system components to each individual user – especially access done with administrative privileges.
  • Regularly test security systems and Perform external and internal penetration testing, including network- and application-layer penetration tests.

Maintain an Information Security Policy:

A strong security policy defines the organization's posture towards security and it also informs employees of their expected duties related to security. All employees should be aware of the sensitivity of cardholder data and their responsibilities for protecting it.

  • Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
  • Develop usage policies for critical technologies to define their proper use by all personnel. These include remote access, wireless, removable electronic media, laptops, tablets, handheld devices, email and the Internet.
  • Implement an incident response plan. Be prepared to respond immediately to a system breach

Compensating Controls for PCI DSS Requirements

Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of compensating controls. For a compensating control to be considered valid, it must be reviewed by a qualified assessor. The effectiveness of a compensating control is dependent on the specifics of the environment in which the control is implemented, the surrounding security controls, and the configuration of the control.

Merchants and other entities that store, process and/or transmit cardholder data must comply with PCI DSS. While the Council is responsible for managing the data security standards, each payment card brand maintains its own separate compliance enforcement programs.

Depending on an entity's classification or risk level (determined by the individual payment card brands), processes for validating compliance and reporting to acquiring financial institutions usually follow this track:

  1. PCI DSS Scoping – determine what system components are governed by PCI DSS.
  2. Assessing – examine the compliance of system components in scope.
  3. Compensating Controls – assessor validates alternative control technologies/processes.
  4. Reporting – assessor and/or entity submits required documentation.
  5. Clarifications – assessor and/or entity clarifies/updates report statements (if applicable) upon request of the acquiring bank or payment card brand.

However, the attacking vector is rapidly evolving, while nobody can completely assure organizations regarding the security of financial and personal details, the risk factor is always there. We must look forward in adopting new strategies to defeat and outreach such attacks and the risks associated with it.

Irfan Shakeel
Irfan Shakeel

Irfan Shakeel is the founder & CEO of An engineer, penetration tester and a security researcher. He specializes in Network, VoIP Penetration testing and digital forensics. He is the author of the book title “Hacking from Scratch”. He loves to provide training and consultancy services, and working as an independent security researcher.