PCI DSS
stands for Payment Card Industry Data Security
Standard. It was developed by the major credit card
companies such as Visa, Master and American Express as a
guideline to help organizations that process card
payments prevent credit card fraud, hacking and various
other security vulnerabilities and threats. A company
processing, storing, or transmitting payment card data
must be PCI DSS compliant or risk losing their ability
to process credit card payments and being audited and/or
fined. Merchants and payment card service providers must
validate their compliance periodically.
Requirements:
The current version of the standard (1.1) specifies 12
requirements for compliance, organized into 6 logically
related groups, which are called "control objectives."
The control objectives and their requirements are:
-
Build and Maintain a Secure Network
-
Requirement 1: Install and maintain a firewall
configuration to protect cardholder data
-
Requirement 2: Do not use vendor-supplied
defaults for system passwords and other security
parameters
-
Protect Cardholder Data
-
Requirement 3: Protect stored cardholder data
-
Requirement 4: Encrypt transmission of
cardholder data across open, public networks
-
Maintain a Vulnerability Management Program
-
Requirement 5: Use and regularly update
anti-virus software
-
Requirement 6: Develop and maintain secure
systems and applications
-
Implement Strong Access Control Measures
-
Requirement 7: Restrict access to cardholder
data by business need-to-know
-
Requirement 8: Assign a unique ID to each person
with computer access
-
Requirement 9: Restrict physical access to
cardholder data
-
Regularly Monitor and Test Networks
-
Requirement 10: Track and monitor all access to
network resources and cardholder data
-
Requirement 11: Regularly test security systems
and processes
-
Maintain an Information Security Policy
-
Requirement 12: Maintain a policy that addresses
information security