What PCI Requirements Apply to Us: Tacking a Common PCI DSS Compliance Challenge

Wednesday, August 21, 2013

Rohit Sethi

219bfe49c4e7e1a3760f307bfecb9954

Determining which system components fall under PCI compliance can often be problematic for many companies. Here’s a brief overview of how to overcome this challenge, by my colleague Nima Dezhkam, principal consultant at Security Compass:

When it comes to PCI DSS (Payment Card Industry Data Security Standards) compliance assessments, scoping tends to become a major challenge. We normally break down the problem of scoping into two parts:

  1. What system components are in scope for PCI DSS
  2. Which PCI DSS requirements apply to the system components

One aspect of the scoping involves determining which system components are included or connected to the Cardholder Data Environment (CDE). CDE normally includes any network component, server, or application that transmits, stores, or processed cardholder data.

Another aspect the scoping focuses on which PCI DSS requirements apply to the system components identified in the CDE.

The following rule helps with identifying the scope:

PCI DSS applies wherever Account Data is stored, processed or transmitted. Account Data consists of Cardholder Data plus Sensitive Authentication Data, as listed below:

  • Account Data
    • Cardholder Data
      • Primary Account Number (PAN)
      • Cardholder Name
      • Expiration Date
      • Service Code
    • Sensitive Authentication Data
      • Full magnetic stripe data or equivalent on a chip
      • CAV2 / CVC2 / CVV2 / CID
      • PINs / PIN blocks

It is important to note that the defining factor in applicability of PCI DSS requirements is the Primary Account Number (PAN), also commonly known as the Credit Card number. If PAN is stored, processed, or transmitted then all PCI DSS requirements apply.

On the other hand, if PAN is not stored, processed, or transmitted anywhere in the environment, then no PCI DSS requirements apply.

Moreover, if cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the cardholder data environment, they must be protected in accordance with all PCI DSS requirements except Requirements 3.3 and 3.4, which apply only to PAN. These two requirements are around masking and hashing/encrypting PAN.

Finally, it is also important to note that as a general rule none of the Sensitive Authentication Data can be stored in the environment at any time.

Cross-posted from the Security Compass Labs blog.

Possibly Related Articles:
12516
PCI DSS
PCI DSS Compliance assessment
Post Rating I Like this!
Default-avatar
Mic Micac I am writing a research paper and collecting information on this topic. Your post is one of the better that I have read. Thank you for putting this information into one location.
http://sanmarcovenice.com/
1409668206
Default-avatar
Mic Micac This was an excellent article. It has some valuable content on this topic. Thank you for compiling it into an easy to read and well written post.
http://www.followersandlikes.com/product/instagram-followers/
1409670249
Default-avatar
Mic Micac This post has helped me for an article which I am writing. Thank you for giving me another point of view on this topic. Now I can easily complete my article. Cheers
http://prx.im
1411130513
Default-avatar
sikawai duluan This is 7 olive oil for hair benefits : 1. Prevents Hair Loss 2. Get Rids of Dandruff and Head Lice 3.Improves Hair Strength Naturally 4. Makes Hair Shiny and Soft 5. Improves Blood Circulation in Scalp 6. Promotes Scalp Health 7. Tames Frizzy Hair Source: http://www.oliveoilforhairhq.com/
http://www.steammopreviewspro.com
http://siratu.com
1411921633
Default-avatar
Leo nardz I have been seeking information on this topic for the past few hours and found your post to be well written and has solid information.
http://goluckycloud.com/
1413989290
Default-avatar
Leo nardz I am exploring this subject as part of a report I need to do on possible careers I might choose. Thank you for your post it has valuable information on this topic.
http://thelaptopdirectory.com/best-gaming-laptops-under-1000-us-dollars/
1414514597
Default-avatar
shahbaz ocpfsd1 Wonderful article,What Is Apple Pay? thanks for putting this together! This is obviously one great post. Thanks for the valuable information and insights you have so provided here.
1414640348
Default-avatar
Anushka Jain Corporations have got various sizes connected with trucks, canisters and car trailers to provide reliable and quick alternatives on very cost-effective charge http://www.expert5th.in/packers-and-movers-hyderabad/
1423651111
Default-avatar
Anushka Jain Packers Moving organizations organizations have their particular spacious and totally waterproof warehouses intended for providing top high quality hard drive alternatives. http://www.expert5th.in/packers-and-movers-mumbai/
1423651137
Default-avatar
Anushka Jain Packers and Movers in Chennai Charges or
http://www.expert5th.in/packers-and-movers-chennai/
1423651155
Default-avatar
Jason Croft Has solid information.. that's right. Security in such a branch is very changable thing for http://milfdating-site.com
1424118852
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.