PCI DSS and SAD Standards

PCI DSS and SAD Standards

PCI DSS and SAD Standards

As an IT professional or MSP, are you able to follow PCI SAD privacy compliances? In accordance to the Payment Card Industry Data Security Standard (DSS), merchants are strongly encouraged not to store cardholder information after authentication — so it's important to make sure that your clients' systems strictly abide by these security compliances for the credibility of their businesses and customers.

Remote management software from SolarWinds MSP highlights the importance of security to your customers, which is why our security features exceed the privacy compliances of PCI DSS.

The Definition of PCI DSS Compliance

PCI DSS Compliance

The Definition of PCI DSS Compliance

Here are some key things to know about the meaning of PCI Data Security Standard compliance:

  • Participants
    PCI compliance standards are enforced upon any merchant that processes information or transactions for credit cards, debit cards or prepaid gift cards for either American Express, Discover, JCB, MasterCard or Visa.
     
  • Relevancy
    The PCI compliance protocol is in place for point-of-sale, online and telephone transactions. The protected information includes the name of the cardholder, expiration date, service code, magnetic stripe data, card numbers, PIN numbers and more.
     
  • Levels
    There are four different levels of PCI compliance, and each merchant falls into one of these four categories based on the number of annual transactions they process. Level one is for merchants with over six million transactions per year, level two is for 1-6 million, level three is for 20,000 to one million and level four is for merchants with less than 20,000 per year.
     
  • Penalties
    The penalties for a breach of PCI compliance are not widely publicized but have been known to include fines ranging from $5,000 up to $100,000 for each month of non-compliance.
     
  • Third-party processors
    Companies that use a third-party credit card processor instead of their own internal system still must remain in compliance with PCI. 

What Does SAD Mean in Accordance with PCI DSS?

What Does SAD Mean

What Does SAD Mean in Accordance with PCI DSS?

Sensitive Authentication Data (SAD) is the information on a card used for authentication at the time of a purchase. This includes data from:

  • Full magnetic strip
  • Card security code (CSC, CVV2, CID, CAV2)
  • PIN and/or PIN block

While this information is necessary when making a purchase by card, the merchant must comply with the PCI DSS standards and remove this information from the merchant's system. SAD cannot even be stored in any encrypted format; it must be deleted as soon as the purchase has been made. 

These standards were set to reduce the risk of theft or fraud on an individual's credit card transaction.

    Exceed PCI DSS Compliance Standards with SolarWinds MSP

    PCI DSS Compliance Standards

    Exceed PCI DSS Compliance Standards with SolarWinds MSP

    While SolarWinds MSP solutions do not feature payment methods, our superior security software protects sensitive user data as it is stored and transferred between servers. In exceeding PCI DSS compliance, we surpass formal security compliances by:

    • Encrypting all data shared between customers and SolarWinds MSP solutions
    • Requiring a unique user ID and password in order to access systems
    • Enabling two-factor authentication and IP whitelisting
    • Logging all application activity to provide an audit trail
    • Logging out all accounts with idle dashboards

    Get More on PCI DSS and SAD Standards

    Frequently Asked Questions

    PCI DSS Requirement 9 Compliance

    In an article by TechTarget, security management expert Mike Rothman discusses the best way to comply with PCI DSS Requirement 9. Of the use of a camera system to help with monitoring, he says that "having a camera outside of the server room, which records with an unalterable time stamp who enters and exits the room, and then having sufficiently detailed log records pertaining to changes made on the servers and cardholder data access is enough."

    MSPs and IT professionals need remote management solutions that go beyond just the basic PCI DSS Requirement 9 standards. SolarWinds MSP offers remote management software that can help you keep your clients' cardholder data safe by giving you control over all aspects of network security. Our software includes features like encrypted data transfers, detailed application activity logs and advanced monitoring agents.

    What is PCI DSS Requirement 9?

    The Payment Card Industry (PCI) has a set of technical and operational requirements to protect cardholder data. These requirements apply to all entities (such as businesses and tech companies) that store, process or transmit cardholder data.

    There are 12 requirements in total, and in this article we'll take a look at PCI DSS Requirement 9 and discuss how to maintain compliance with these regulations.

    PCI DSS Requirement 9 requires that entities restrict physical access to cardholder data. It states, "Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted."

    PCI DSS requirement 9 has ten sections you must follow in order to maintain PCI DSS compliance.

    In these 10 sections, "onsite personnel" means full-time and part-time employees, temporary employees, contractors and consultants who are physically present on the entity’s premises. "Visitors" means vendors and guests that enter the facility for a short amount of time. "Media" means all paper and electronic media containing cardholder data.

    • 9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
       
    • 9.2 Develop procedures to easily distinguish between onsite personnel and visitors, especially in areas where cardholder data is accessible. GIVE EVERY USER A UNIQUE ID. Every user with access to the Cardholder Data Environment must have a unique ID. This allows a business to trace every action to a specific individual.
       
    • 9.3 Ensure all visitors are authorized before entering areas where cardholder data is processed or maintained; given a physical token that expires and that identifies visitors as not onsite personnel; and are asked to surrender the physical token before leaving the facility or at the date of expiration.
       
    • 9.4 Use a visitor log to maintain a physical audit trail of visitor information and activity, including visitor name, their company and the onsite personnel authorizing physical access. Retain the log for at least three months unless otherwise restricted by law.
       
    • 9.5 Store media back-ups in a secure location, preferably off site.
       
    • 9.6 Physically secure all media.
       
    • 9.7 Maintain strict control over the internal or external distribution of any kind of media. Classify media so the sensitivity of the data can be determined.
       
    • 9.8 Ensure that management approves any and all media moved from a secured area, especially when media is distributed to individuals.
       
    • 9.9 Maintain strict control over the storage and accessibility of media.
       
    • 9.10 Destroy media when it is no longer needed for business or legal reasons.

    PCI DSS Cloud Computing Guidelines and Compliance

    The Payment Card Industry Data Security Standards (PCI DSS) Cloud Computing Guidelines Information Supplement was published in an effort to extend the responsibility for securing credit card information to cloud computing providers. The supplement clearly defines the security responsibilities of the cloud provider and the cloud customer.  

    The PCI DSS Cloud Computing Guidelines Information Supplement was published in an effort to clarify what is required to protect customers' credit card information and support PCI DSS compliance in the cloud. It goes without saying that any business that conducts credit card transactions is obliged to comply with PCI DSS. But as businesses more and more contract hosted data centers — often cloud based storage centers — to warehouse their customers' information, the PCI Security Standards Council needed to explicitly extend compliance to these vendors as well. 

    According to the Payment Card Industry Security Standards Council, the responsibility of securing credit card information is shared by both the cloud service provider and its clients. However, the ultimate responsibility for PCI DSS compliance lies with the cloud customer who stores cardholder data with a third-party service provider. The supplement helps organizations with the following:

    • Cloud overview. It explains different models of cloud services and how compliance implementation may vary within different types. 
    • Cloud provider and cloud customer roles and responsibilities. The supplement outlines different roles and responsibilities across different cloud models. It also provides guidance on determining and documenting responsibilities for cloud providers and their customers. 
    • PCI DSS considerations. The supplement provides guidance and examples to help determine responsibilities for specific PCI requirements. 
    • PCI DSS compliance challenges. The supplement describes some of the challenges with demonstrating and documenting PCI DSS compliance for cloud providers.

    Cloud computing service providers must meet the requirements of PCI DSS according to agreed upon guidelines between providers and their clients. But if there is a security breach, you can rest assured that the businesses conducting transactions via the cloud will suffer dire consequences, and not just of the legal variety. That's why it is important to choose cloud vendors whose software is designed to be PCI DSS compliant. 

    Even though SolarWinds MSP is not required to comply with PCI DSS guidelines, it goes above and beyond, and is actually even more rigid than the guidelines.

    PCI DSS Meaning

    PCI is the acronym used for the Payment Card Industry. The PCI Data Security Standard is a set of compliance standards in place for the way companies process, store and transmit payment card information.

    These compliance measures pertain to any company or organization that accepts, stores or transmits data of payment card holders. The standards are managed by the PCI Security Standards Council and are in place to help combat credit card fraud, identity theft and fraud on consumer transactions.

    The Role of Encryption in DSS

    The PCI DSS is made up of six components to maintain the safe handling of cardholder data. Encryption is just one of these six objectives.

    According to the objective, merchants and organizations must:

    1. Protect stored cardholder data
    2. Encrypt transmission of cardholder data across open, public networks

    In other words, cardholder information must be encrypted whenever it is stored or transmitted. Encrypting files involves the conversion of information into an unintelligible form that can only be decrypted by the holder of a designated cryptographic key.

    The details of the PCI DSS encryption protocol include:

    • Transparent Data Encryption (TDE) or full disk encryption (recommended)
    • Keys must be changed at least once a year
    • The use of Extensible Key Management with a third-party encryption provider is recommended
    • The full card number should not be clearly visible anywhere on the database
    • An external program should be used to retrieve the card number if necessary and access to that program should be kept limited
    • Secure Sockets Layer (SSL) encryption should be configured

    Merchants and organizations that must adhere to PCI DSS regulations must implement an encryption protocol. 

    What does FINRA stand for?

    The Financial Industry Regulatory Authority (FINRA) is an independent, not-for-profit organization authorized by the U.S. Congress to protect investors by ensuring the securities industry operates fairly. FINRA not only provides basic protections to investors, but ensures that every securities product on the market is tested, qualified and licensed.

    According to FINRA.org, "FINRA's mission is to safeguard the investing public against fraud and bad practices. We pursue that mission by writing and enforcing rules and regulations for every single brokerage firm and broker in the United States, and by examining broker-dealers for compliance with our own rules, federal securities laws and rules of the Municipal Securities Rule-making Board."

    Additionally, FINRA makes certain that:

    • Securities products sold to an investor is appropriate for that investor's needs
    • Investors receive complete disclosure about the investment product before purchase
    • Every securities product advertisement used is truthful and not misleading
    • Every investor receives the basic protections they deserve

    FINRA Compliant Security Solutions

    SolarWinds MSP develops FINRA compliant IT management and security solutions that help MSPs protect and manage customer networks, servers, devices and machines.

    In addition to satisfying a host of regulatory compliance requirements, including FINRA, HIPAA and PCI DSS, SolarWinds MSP enables managed service providers to conduct automatic risk assessments to calculate an organization's risk of a data breach (and how much money it will likely cost).  

    About SolarWinds MSP

    SolarWinds Remote Monitoring and Management

    • Provides the best IT security available today, with a mix of proactive, detective, and reactive security
    • Deployed on millions of endpoints across hundreds of thousands of networks
    • Get access to the many tools that make designing a secure network easier and more efficient