🦉
Programming Notes
  • My Programming Notes
  • CKA Exam Preparation
    • Certified Kubernetes Administrator
    • Setup Minikube
    • Network Design Principles
    • Role-Based Access Control (RBAC)
    • Namespace
    • Resource Quota
    • Pod
    • Deployment
    • Deployment: Rollout
    • ConfigMap
    • Service
    • Service: kubectl expose
    • Pod: Resources Management
    • Pod & Container: Quality of Service Class
    • Pod & Container: Probes
    • Limit Range
    • Scaling: Manual
    • Scaling: Horizontal Pod Autoscaler
    • Persistent Volume & Claim
    • Secret
    • Ingress: Routing
    • Ingress: TLS
    • Ingress: Rate Limit
    • Ingress: Basic Auth
    • Ingress: CRD (Custom Resource Definition)
    • Job
    • CronJob
    • Mutli-Node Cluster
  • Golang
    • Generics
    • Context
    • Goroutines and Channels in Go
    • Goroutine: Concurrency vs Parallelism
    • Goroutine: Performance & Tradeoffs
    • JSON: omitzero
  • Rust
    • Arrays & Slices
    • Closures
    • Generics & Traits
    • Iterators
    • Run Code Simultaneously
    • String vs &str
    • Tests
    • Rustlings Exercises
      • Variables
      • Functions
      • If
      • Primitive Types
      • Vectors
      • Move Semantics
      • Structs
      • Enums and Matching Pattern
      • Strings
      • Modules
      • Hashmaps
      • Options
      • Error Handling
      • Generics
      • Traits
      • Lifetimes
      • Tests
      • Iterators
      • Smart Pointers
      • Threads
      • Macros
      • Quiz 1
      • Quiz 2
      • Quiz 3
  • Software Engineering
    • CAP Theorem
    • Circuit Breaker
    • Decoupling
    • GraphQL: Query Caching
    • HMAC Signature
    • Idempotency
    • Monolith VS Microservice
    • OWASP Top 10 2021
    • PCI DSS
    • PostgreSQL: Partitioning
    • PostgreSQL: Replication
    • Protobuf & gRPC
    • Redis: Streams
    • Resource Scaling
    • Signed URL
    • SOLID
    • Stack VS Heap
    • Stateful VS Stateless
  • Site Reliability Engineering
    • Chaos Engineering
    • Distributed Tracing
    • Kubernetes (k8s)
    • SLA, SLO, and SLI Metrics
    • Site Reliability Engineer
  • Others
    • FFMPEG Cheat sheet
Powered by GitBook
On this page
  • Goals and Requirement
  • Key Concepts in PCI DSS
  • Compliance Levels
  • Examples of PCI DSS in Practice
  • E-commerce Site
  • Point-of-Sale System
  • Data Centers
  1. Software Engineering

PCI DSS

PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. It was established by the PCI Security Standards Council (PCI SSC), which was founded by major payment card brands (Visa, MasterCard, American Express, Discover, and JCB).

The primary goal of PCI DSS is to protect cardholder data from theft and fraud. It defines both technical and operational requirements for securing payment data.

Goals and Requirement

PCI DSS is organized into 6 goals and 12 requirements, which are summarized below:

1. Build and Maintain a Secure Network and Systems

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

2. Protect Cardholder Data

  • Requirement 3: Protect stored cardholder data (e.g., encrypt sensitive data at rest).

  • Requirement 4: Encrypt transmission of cardholder data across open, public networks (e.g., use TLS).

3. Maintain a Vulnerability Management Program

  • Requirement 5: Protect all systems against malware and regularly update anti-virus software.

  • Requirement 6: Develop and maintain secure systems and applications (e.g., patch vulnerabilities).

4. Implement Strong Access Control Measures

  • Requirement 7: Restrict access to cardholder data to only those who need it to perform their job.

  • Requirement 8: Identify and authenticate access to system components (e.g., use multi-factor authentication).

  • Requirement 9: Restrict physical access to cardholder data.

5. Regularly Monitor and Test Networks

  • Requirement 10: Track and monitor all access to network resources and cardholder data (e.g., logging and monitoring).

  • Requirement 11: Regularly test security systems and processes (e.g., penetration testing and vulnerability scanning).

6. Maintain an Information Security Policy

  • Requirement 12: Maintain a policy that addresses information security for all personnel.

Key Concepts in PCI DSS

Cardholder Data (CHD): Data that must be protected includes:

  • Primary Account Number (PAN)

  • Cardholder name

  • Expiration date

  • Service code

Sensitive Authentication Data (SAD): Data that must not be stored after authorization:

  • Full magnetic stripe data

  • CVV (Card Verification Value)

  • PIN or PIN block

Scope: PCI DSS applies to all systems involved in processing or storing cardholder data, including:

  • Applications

  • Databases

  • Servers

  • Network devices

Compliance Levels

The PCI DSS compliance requirements vary depending on the number of payment transactions processed annually. There are four levels:

  • Level 1: Over 6 million transactions annually.

  • Level 2: Between 1 million and 6 million transactions annually.

  • Level 3: Between 20,000 and 1 million e-commerce transactions annually.

  • Level 4: Fewer than 20,000 e-commerce transactions annually or up to 1 million overall.

Examples of PCI DSS in Practice

E-commerce Site

  • Ensures all cardholder data is transmitted securely using HTTPS (TLS).

  • Uses tokenization or encryption to store card data.

  • Implements a firewall to isolate sensitive systems.

Point-of-Sale System

  • Ensures that POS devices do not store sensitive authentication data after authorization.

  • Applies strong access controls to restrict who can access systems.

Data Centers

  • Restricts physical access to cardholder data.

  • Logs all access to servers containing sensitive information.

PreviousOWASP Top 10 2021NextPostgreSQL: Partitioning

Last updated 3 months ago