Payment industry reference materials

PAYMENT INDUSTRY REFERENCE MATERIAL  Used in my work developing firmware for payment terminals

GENERAL

• • The PCI Security Standards Council issues standards to be used in securing payment transactions within the Payment Card Industry.

DOCUMENTS.  Most, if not all, of the following documents were found in the documents library of the PCI Security Standards Council website:

• PCI SSC Data Security Standards Overview

• PCI DSS Quick Reference Guide

  • Navigating PCI DSS is a PDF document that provides an overview of PCI DSS requirements.  The following is from the document's preface:

  • "This document describes the 12 Payment Card Industry Data Security Standard (PCI DSS) requirements, along with guidance to explain the intent

  • of each requirement. This document is intended to assist merchants, service providers, and financial institutions who may want a clearer

  • understanding of the Payment Card Industry Data Security Standard, and the specific meaning and intention behind the detailed requirements to

  • secure system components (servers, network, applications, etc.) that support cardholder data environments."

• PCI DSS - Requirements and Security Assessment Procedures

  • The PCI DSS Self Assessment Questionaire (SAQ) provides the "tools" needed to perform a self-assessment for PCI DSS compliance.

• Glossary of terms for PCI DSS and PA-DSS

BLOGS AND WEBSITES - SECURITY

• • Data Breach Today

  • Krebs on Security is a blog written by Brian Krebs that covers security related stories.

BLOGS AND WEBSITES - PAYMENTS

• • Digital Transactions

TERMINOLOGY

• • Online Payment Processing Definitions, a reference document hosted by the Credit Research Foundation

  • ASV: Approved Scanning Vendor; someone who assesses compliance with PCI DSS scan requirements

  • CDE: Cardholder Data Environment; location(s) of cardholder data within the application(s)

  • DSS: Data Security Standard

  • DUKPT: Derived Unique Key Per Transaction

  • MAC: Message Authentication Code

  • MIC: Message Integrity Code

  • PA-DSS: Payment Application Data Security Standard

  • PAN: Personal Account Number

  • PCI: Payment Card Industry

  • PCI DSS: Payment Card Industry Data Security Standard

  • PCI PED: (Deprecated -- superceded by PCI PTS) Payment Card Industry Pin

  • PCI PTS: Payment Card Industry Pin Transaction Security

  • PED: PIN Entry Device

  • PIN: Personal Identification Number

  • PTS: PIN Transaction Security

  • QSA: Qualified Security Assessor; someone who assesses compliance with PCI DSS

FURTHER READING

• • Cryptographic Tools, from RSA Laboratories