The Payment Card Industry Security Standards Council (PCI SSC) is a global organization created in 2006 by several well-known credit card companies to develop and promote the adoption of security standards in the payment industry worldwide. The set of standards established is called PCI Data Security Standard (PCI DSS), with the latest version published in 2018. Looking for the prevention of frauds, PCI DSS establishes the minimum requirements that any company oriented towards storing, handling or transferring cardholder information (e.g., payment account number, cardholder name) must satisfy.
PCI DSS applies to online stores or e-commerce sites, and even to businesses with the credit card payment option available thanks to third-party services such as PayPal. These standards and the scope of compliance may show differences according to the activities (including volume of transactions) performed by each company involved in the processing of cardholder data. If this kind of information turns out to be stolen, or the requirements are simply not met, although PCI is not a government agency, companies must respond to sanctions. These penalties may include large fines (from thousands to millions of dollars) and even loss of the privilege of accepting card payment, not to mention the implications on the customers’ trust and the company’s reputation.
Here is the list of requirements against which PCI DSS compliance is validated (for specifications on requirements, sub-requirements and security assessment procedures, please access the official document, Version 3.2.1, May 2018):
Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect stored cardholder data.
Encrypt transmission of cardholder data across open, public networks.
Protect all systems against malware and regularly update anti-virus software or programs.
Develop and maintain secure systems and applications.
Restrict access to cardholder data by business need to know.
Identify and authenticate access to system components.
Restrict physical access to cardholder data.
Track and monitor all access to network resources and cardholder data.
Regularly test security systems and processes.
Maintain a policy that addresses information security for all personnel.
PCI DSS compliance must be an ongoing process that involves identifying which cardholder information assets are being used, as well as under what procedures, before analyzing them forsecurity vulnerabilities. It must also include the remediation of those vulnerabilities in order to shrink the attack surface and the sharing of subsequent corresponding documentation, i.e., compliance reports, with the banking companies concerned. Additionally, organizations should constantly monitor potential threats, perform penetration testing and receive advice from experts to confirm this standard’s compliance.
Ensuring compliance with up-to-date security standards may become a complicated issue for diverse organizations that use continually evolving information technology for their businesses. Fluid Attacks recognizes this and offers you comprehensive testing and analysis to determine whether your company is effectively complying with all corresponding security requirements.
Although Fluid Attacks’ Continuous Hacking service goes beyond the PCI DSS, testing around 200 technical security requirements in each of your projects, we can guarantee the detection of all vulnerabilities in your software associated with this standard. In addition, we provide you with reliable reports so that your team can take the necessary steps to adjust and maintain your information systems in line with such requirements. We allow you to avoid penalties and, above all, guarantee secure systems for customers or users, thus ensuring their continued trust.
All our security testing is based on Rules, which is a set of security requirements written by us in a comprehensible manner, using several international standards as a reference. It allows you to parameterize the assessments we make to your systems and determine what your company agrees to comply with and what would be considered a vulnerability.