In recent years, credit card security issues have received much attention. As we all know, the Payment Card Industry Data Security Standard (PCI DSS) is the most authoritative and widely adopted best practice for information security compliance construction and security assessment in the world. Worldwide, many credit card acquirers and issuers, merchants, and payment service providers have achieved compliance assessments or are working on compliance. In China, the service provider's PCI DSS compliance assessment work has been widely accepted and recognized, such as fast money, Epro payment, Shouxinyi payment, Shengfutong, Oncard Payments and many other payment service agencies. It has passed the compliance construction of PCI DSS and continues to pass the evaluation of atsec's neutral third party; the PCI DSS compliance construction of credit card acquirers and card issuers of domestic banks has also received more and more attention in the past two years. As a card organization, VISA is also a top priority for the risk management requirements of PCI DSS compliance for acquiring and issuing institutions. Over the years, VISA has implemented a global risk management system based on PCI-related requirements, such as Account Information Security (AIS) in the Asia Pacific region.

This article will share some of the experience and experience of the acquiring institutions and card issuers in the PCI DSS compliance construction from the perspective of atsec's independent third-party evaluation and VISA risk management, hoping to play a small role in promoting domestic credit card security.

PCI DSS compliance value

The PCI DSS standard proposes a number of security baseline requirements from the aspects of information security management system, network security, physical security, and data encryption. Although there is no information security standard or security construction to ensure 100% protection against security risks, according to the industry's accumulation, PCI DSS can be implemented and security protection against cardholder data environment is continuously implemented in strict accordance with the requirements of PCI DSS. The likelihood of occurrence will be greatly reduced.

In addition to many specific technical improvements and security improvements, the value of the PCI DSS compliance assessment can be summarized as follows:

Identify and discover weaknesses that may be attacked by an organization to improve customer security levels and reduce security risks through externally independent third-party assessment agency security assessments
Improving the compliance of personnel's awareness management system for information security can shape a well-functioning corporate image, and further formalize the results of verification and publicly recognize its compliance; enhance the confidence and satisfaction of its business partners with regulatory agencies or authorities. The construction of the insurance company management system between customers, partners, supplier organizations and departments further strengthens the internal management and control of the organization:
Strengthen the high-level security of company management, integrate high-level policies and policies into specific business processes, operational processes, and personnel and financial management processes, and make the records more simplified and effective through working templates/tools. Metrics to obtain management support, management and technology use common language dialogue to enhance the security of the company's practical security protection to strengthen neutral, independent, and management-trusted external audit, share the pressure of some management review (management review) Improve safety awareness, and fully understand the corporate culture. Strengthening investment confidence can reduce many costs and expenses:
Effectively manage and reduce the impact of security incidents, reduce investment in processing risks; complete details of risk management, business continuity and emergency response directly reduce the risk of major events;
Through compliance audits and certifications, external review or research in other areas, such as frequent diligences in the Western client or legal field, can be reduced;
It can reduce the insurance premium, and directly reduce the long-term necessary insurance costs through compliance construction, or increase the insurance coverage and insurance coverage;
Through the clear responsibility of the management system, it is possible to share the safety work with relevant personnel.
Compliance construction and certification have market value and occupy an absolute advantage in the same industry in the same industry, and improve their competitiveness.
Compliance construction and certification can establish an internationally trusted and recognized platform for global information exchange. It is an important factor for an organization to show itself on the world stage, and it is also likely to be a prerequisite.

Finally, I would like to say that PCI DSS is a baseline requirement for all organizations in the payment industry chain. It requires all organizations involved in the storage, transaction and transmission of cardholder data (such as credit card master accounts) in this industry chain. With mutual participation, only a comprehensive and comprehensive implementation of compliance can truly protect cardholder data and reduce the risk of credit card theft.

Compliance focus and difficulty

PCI DSS is a technical baseline standard that is more compatible and interoperable with ISO/IEC 27001 and its series of standards for information security management systems. However, PCI DSS is more focused on cardholder data protection. The requirements will be more specific and detailed. Therefore, in a sense, it is not very easy to implement the compliance construction of PCI DSS because of the need to achieve clear compliance with each requirement.

The first and most important part of working on PCI DSS compliance is the determination of scope. The PCI DSS standard encourages organizations to streamline the cardholder data environment in a reasonable manner, not only to reduce the difficulty and time of the review, but also to reduce the risk of the organization processing cardholder data.

Based on atsec's past project experience and industry accumulation, the entire PCI DSS compliance building is divided into six milestones based on the priority of achieving PCI DSS compliance goals. The objectives to be achieved for each milestone are as follows:

The goal of the first milestone is to remove sensitive authentication data and limit the storage of cardholder data necessary for unnecessary locations and non-business;
The second milestone aims to protect borders, internal and wireless networks;
The third milestone is targeted at secure payment card applications;
The fourth milestone is aimed at monitoring and controlling access to the system;
The goal of the fifth milestone is to protect stored cardholder data;
The goal of the sixth milestone is to complete all remaining compliance efforts and ensure that all control measures are in place.

From the perspective of data security, for sensitive data and cardholder data, organizations should be effectively managed. The fewer the storage locations, the lower the risk, and the overall difficulty of achieving compliance. The smaller.

First, for the acquirer, sensitive authentication data must be safely deleted after the authorization is completed. Sensitive authentication data includes complete magnetic stripe information, CVC2/CVV/CID/CAV2, PIN or PIN block. For card issuers, sensitive authentication data can be stored, but protection must be provided. For example, the introduction of strong encryption mechanisms and key management techniques is a very effective and common practice.

The cardholder data refers to the credit card holder's primary account number (PAN), the cardholder's name, expiration date, and service code. For cardholder data, if there is no need to store the location, try not to store it. If necessary, consider truncating (only the first six digits and the last four digits of the reserved card number), one-way hash or token based on strong encryption algorithm. Tokenization (refer to PCI's guidance on token solutions Tokenization_Guidelines_Info_Supplement). For cardholder data that must be stored, it is common and common practice to perform strong encryption and strict key management for the key.

The strong encryption algorithm approved by PCI DSS is generally consistent with the most authoritative standard FIPS 140 in the field of passwords issued by NIST. Current strong encryption algorithms include, but are not limited to (the key strength and recognition algorithms are constantly updated according to industry accumulation):

Symmetric algorithm:
AES 128 bit or more (256 bits recommended)
TDES 128 bit (256bit 3 key recommended)
AKIPJACK / ESS 128 bit (256bit recommended)
Asymmetric algorithm:
RSA 1024 bit (2048bit or more is recommended)
DSA 1024 bit (2048bit or more is recommended)

If a strong encryption algorithm is used to protect the cardholder data, the organization needs to first consider the construction of the key management system. The following is the idea of ​​the key management system:
Use a few keys to build a key management system?
Is the symmetric or asymmetric algorithm and the length of the encryption key used?
Key storage protection (preventing unauthorized access and modification of keys)
Secure distribution of keys (ensuring that keys are secure during transmission)
Key leakage or weakened process flow after the expiration of the process key

Bottle Warmer & Sterilizer 2 in 1

Bottle Sterilizer And Warmer,Microwave Steam Sterilizer,Bottle Warmer Sterilizer,Microwave Steam Steriliser

Joystar Electrical Appliances Manufacturing Co.,Ltd , https://www.fscnjoystar.com