PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS) secures cardholder data that is stored, processed or transmitted by merchants and other organizations. The standard is managed by the PCI Security Standards Council (PCI SSC) and its founders — American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

The DSS details 12 requirements that must be met by merchants to be considered “compliant”. Compliance, however, is simply a metric for the true goal of the program: to ensure transaction safety for customers. These requirements are:

 

Build and Maintain a Secure Network

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

 

Protect Cardholder Data

  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks

 

Maintain a Vulnerability Management Program

  • Requirement 5: Use and regularly update anti-virus software
  • Requirement 6: Develop and maintain secure systems and applications

 

Implement Strong Access Control Measures

  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data

 

Regularly Monitor and Test Networks

  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes

 

Maintain an Information Security Policy

  • Requirement 12: Maintain a policy that addresses information security

Each requirement has specific definitions for meeting it, all of which are detailed in the current version of the DSS specification.

Additional Information

Visa Cardholder Information Security Program (CISP)

Mastercard Security Portal

Trustwave Network Scanning and Compliance Validation