1. PCI DSS Brief
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.
2. PCI Compliance applicability
The PCI DSS applies to ANY organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
In-scope cards include any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC – American Express, Discover, JCB, MasterCard, and Visa International.
An organization is required to be PCI compliant in either of the below two situations:
- All business that store, process or transmit payment cardholder data
- All business that even just process or transmit payment cardholder data
PCI DSS is also applicable to the Business that accepts credit cards over phone since they comes under the above classification. https://www.pcicomplianceguide.org/how-does-taking-credit-cards-by-phone-work-with-pci/
3. Auditing of PCI Compliance and Vulnerability Scans
PCI DSS compliance is generally audited by PCI SSC Approved Scanning Vendor (ASV).
A vulnerability scan involves an automated tool that checks a merchant or service provider’s systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan identifies vulnerabilities in operating systems, services and devices that could be used by hackers to target the company’s private network. As provided by an Approved Scanning Vendors (ASV’s) such as ControlScan, the scan does not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed.
3.1 Approved Scanning Vendors (ASVs)
Approved Scanning Vendors (ASVs) are organizations that validate adherence to certain DSS requirements by performing vulnerability scans of Internet-facing environments of merchants and service providers.
As a company, ControlScan revalidates with the PCI Security Standard Council every year, and our ASV employees requalify annually, too. This means that we’re up to date on the very latest vulnerabilities. We’re also experts in scanning your Internet-facing environment and working with you to resolve any issues and achieve PCI compliance.
3.2 Frequency of validations for PCI Compliance
PCI compliance requires businesses to submit quarterly passing network scans by a PCI SSC Approved Scanning Vendor (ASV) such as ControlScan for each of their location.
4 Significance of SSL Certificate in PCI compliance
4.1 SSL
SSL (Secure Sockets Layer) is the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems, preventing eavesdroppers from reading and manipulating any information transferred, including potential personal details. The two systems can be a server and a client (for example, a shopping website and browser) or server to server (for example, an application with personal identifiable information or with payroll information). SSL uses encryption algorithms to scramble data in transit, preventing hackers from reading it as it is sent over the connection.
4.2 TLS
TLS is more efficient and secure than SSL as it has stronger message authentication, key-material generation and other encryption algorithms. For example, TLS supports pre-shared keys, secure remote passwords, elliptical-curve keys and Kerberos whereas SSL does not. TLS and SSL are not interoperable, but TLS does offer backward compatibility for older devices still using SSL.
The TLS protocol specification defines two layers. The TLS record protocol provides connection security, and the TLS handshake protocol enables the client and server to authenticate each other and to negotiate security keys before any data is transmitted.
The TLS handshake is a multi-step process. A basic TLS handshake involves the client and server sending “hello” messages, and the exchange of keys, cipher message and a finish message. The multi-step process is what makes TLS flexible enough to use in different applications because the format and order of exchange can be modified.
4.3 SSL Certificate
To create this secure connection, an SSL certificate (also referred to as a “digital certificate”) is installed on a web server and serves two functions:
- It authenticates the identity of the website (this guarantees visitors that they’re not on a bogus site)
- It encrypts the data that’s being transmitted
- SSL certificates are issued by Certificate Authorities (CAs), organizations that are trusted to verify the identity and legitimacy of any entity requesting a certificate.
- The CA’s role is to accept certificate applications, authenticate applications, issue certificates, and maintain status information on certificates issued.
Even though a SSL Certificate facilitates for TLS but still while buying SSL you will notice that it is referred to as an SSL certificate. This is primarily for the reason that the SSL is the most commonly term used.
4.4 HTTPS
HTTPS (Hyper Text Transfer Protocol Secure) appears in the URL when a website is secured by an SSL certificate. The details of the certificate, including the issuing authority and the corporate name of the website owner, can be viewed by clicking on the lock symbol on the browser bar.
4.5 Compliance to PCI while using the SSL certificate
A system cannot be considered as PCI compliant for using SSL certificates as mere usage of SSL certificate alone won’t guarantee for securing a web server from malicious attacks or intrusions.
SSL and early TLS should not be used as a security control to meet the PCI requirement.
High assurance SSL certificates provide the first tier of customer security and reassurance such as the below, but there are other steps to achieve PCI compliance.
- A secure connection between the customer’s browser and the web server
- Validation that the website operators are a legitimate, legally accountable organization