What is PCI?
Payment Card Industry(PCI) is about credit cards, ATM, POS cards, debit, prepaid and related business. To overcome security issues in the industry, several organizations gathered together and created PCI Security Standards Council (SSC) in September 2006. This council decided on PCI Data Security Standards(DSS), which aims to protect against credit card fraud and misuse of information, which is common in transactions carried out through banks and financial institutions and causes severe losses.
Who Needs to be PCI Compliant?
According to PCI Compliance Security Standard Council, any business that processes, stores, or transmit credit card information needs to be PCI compliant.
There are different levels of PCI DSS compliance depending on the number of transactions per year.
Level 1: More than 6 Million Transactions per year
Level 2: Between 1 Million and 6 Million Transactions per year
Level 3: Between 20 Thousand and 1 Million Transactions per year
Level 4: Less than 20 thousand transactions per year
Companies with Level 1 and Level 2 should pass an on-site audit every year to prove that they are PCI compliant. Companies who are Level 3 and 4 need to fill a Self Assessment Questionnaire(SAQ) every year and report to associated banks or credit card companies.
There are nine different types of Self Assessment Questionnaire(SAQ) of PCI. They show which security measurement you need to take according to your business model. The measures you will take depend on the payment method you use, such as online payment, POS cards, and recording users' payment information or not.
What is PCI Pentest
PCI pentest is a special penetration test that is based on PCI DSS. The member merchants and financial institutions' vulnerabilities that make transactions with credit cards should be detected and eliminated to assure the security level of PCI DSS. Depending on the level, the frequency of the pentest you should do may vary. PCI Requirement documentation at item 11.3 states that penetration tests should be performed every six months or after any changes to segmentation controls.
There are 12 requirements of the PCI DSS. You can find their details, testing procedures, and guidance in the documentation.
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Use and regularly update anti-virus software or programs
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need to know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security for all personnel
PCI DSS aims to protect users' credit card information and their transaction information from third parties. There are precautions and rules for the merchants and financial institutions to take. It is always good to get professional consultancy when you do not have your security team focused on these issues.