The Payment Card Industry Data Security Standard, or PCI DSS for short, is a set
of requirements that all businesses—regardless of size—must adhere to in order to
accept payment cards. The purpose is to ensure the security of cardholder data and
to help prevent credit card fraud, hacking, and other security issues. It is enforced
by the major credit card companies that make up the Payment Card Industry Security
Council—American Express, Discover, JCB, MasterCard and Visa.
PCI DSS Requirements
The twelve PCI DSS requirements catalog best practices that businesses should follow
when handling customers’ payment cards or payment card information. They are broken
down into six different categories:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder
data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder
data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
The first version of PCI DSS was introduced in September 2006. At this time, the
PCI Security Standards Council established a continual two year cycle of review
and revision of PCI DSS. Accordingly, in October 2008 a second version was released
with minor changes and clarifications. The first version will not be in effect until after
December 31, 2008.
Merchants fall under four
categories of PCI compliance, depending on the number of transactions they
process each year, and whether those transactions are performed from a brick and
mortar location or over the Internet. All merchants that process credit cards—whether
small or large—must be PCI compliant.
Element Payment Services is on the board of the PCI Security Standards Council and
is equipped to
help you understand and comply with PCI DSS, whether you are a
software provider or a merchant.
To learn more about PCI DSS Requirements, download our PCI DSS white paper.