The Payment Card Industry Data Security Standard (PCI DSS) Version 3.2 (updated in June of 2016) was developed by the members of the PCI Council, American Express, Discover Financial Services, JCB, MasterCard and Visa Inc. to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers as well as to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
While not outlined by the PCI Council, there are four distinct levels of compliance that is based on the merchant’s total credit card transactions over a 12-month period. While varying slightly, the four levels are:
- Level 1 – 6M or more transactions per year
- Level 2 – 1 to 6M transactions per year
- Level 3 – 50,000 to 1M transactions per year
- Level 4 – less than 50,000 transactions.
As can be anticipated, Level 1 merchants have the highest level of compliance requirements to meet PCI DSS 3.2 standards. For these vendors the requirements are a Report on Compliance (ROC) submitted by a Qualified Security Assessor (QSA) or signed by an Internal Auditor that is an officer of the company, submittal of an Attestation of Compliance (AOC) form and quarterly scans by an Approved Scanning Vendor (ASV)
For Levels 2-4 the requirements are the same: Submit a Self-Assessment Questionnaire (SAQ), submit an Attestation of Compliance (AOC) and quarterly scans from an ASV. All these documents can be found at https://www.pcisecuritystandards.org/document_library
Level 1 Testing and Scanning Requirements
Level 1 Merchants (6M transactions or more) are required to submit a ROC that follows the requirements outlined in PCI DSS 3.2. Within PCI DSS 3.2, there are 12 requirements that Level 1 merchants are audited on to demonstrate their ability to meet PCI DSS standards by outlining the controls and processes in place to protect the integrity of the Cardholder Data Environment (CDE). The ROC audit is performed by a Qualified Security Assessor (QSA), unless the company has an Independent Security Assessor certification, and is usually conducted on-site.
Requirement 6, Develop and Maintain Secure Systems and Applications and Requirement 11, Regular Test Systems and Processes, of PCI DSS 3.2 cover the penetration testing requirements necessary to demonstrate compliance and that are reported in the QSA Audit. To be compliant, Level 1 Merchants must use a validated third-party penetration tester such as MainNerve to rigorously test the PCI Vendors CDE for vulnerabilities and system weaknesses. Penetration testers are required to follow accepted industry standards such as the NIST SP 800-115 or Penetration Testing Examination Standard (PTES). Additionally, Requirement 11.3 and 6.5 requires application testing in accordance with accepted methodologies such as the Open Web Application Security Project (OWASP) or the Open Source Security Testing Methodology Manual (OSSTMM) or CWE/SANS Top 25. Testing for authorized and unauthorized wireless access points and quarterly retests are also a requirement mentioned in 11.1.
To qualify and maintain PCI Compliance, both external and internal penetration tests must be conducted annually, or when significant upgrades to the vendor’s architecture or applications are made. Additionally, when a vendor uses segmentation to separate data in the cardholder data environment or CDE, annual penetration tests by an authorized third-party vender are required.
By determining the scope of the PCI audit that applies to your Merchant Level and following through on the requirements. For Level 1 Merchants, that means a full ROC, AOC and quarterly scanning by an ASV. For Levels 2-4, a SAQ that is specifically tailored to the merchant’s method of using credit cards (card not present, stand-alone terminals, web-based terminals etc.), an AOC and quarterly scanning by an ASV.
Scope Definition and Advisor Services: Don’t know what your PCI Merchant Level is, where your cardholder data is stored at and what are your compliance requirements under PCI DSS 3.2? MainNerve QSA qualified personnel will sit down with you and ensure that your PCI DSS customer experience is appropriately scoped and tailored for your exact needs and to save you money.
Penetration Testing: MainNerve has extensive experience helping Level 1 Merchants achieve PCI DSS 3.2 compliance through the application of rigorous internal and external penetration tests as well as web and mobile based application penetration testing. These tests, when performed during a ROC conducted by a QSA, meet or exceed the penetration testing conditions outlined in Requirements 6 and 11 of 3.2. MainNerve’s penetration testers are all veterans with decades of experience and only perform penetration tests to the standards outlined in PCI DSS 3.2 such as PTES, NIST SP 800-115, OWASP and OSSTMM. MainNerve has performed these services to support Level 1 PCI requirements for companies as large as $34B and smaller vendors as well.
QSA Support: MainNerve partners with several highly reputable U.S. companies to bring in affordable QSA support when clients request them. These are highly experienced QSAs with decades of experience in PCI DSS ROC requirements and work with MainNerve penetration testers to quickly meet your PCI DSS needs.
PCI Standards Council: https://www.pcisecuritystandards.org