Payment Card
Industry, Data Security Standard (PCI/DSS)
The Payment Card Industry Security Standards Council was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. The PCI Security Standards Council created the Data Security Standards. The Payment Card Industry (PCI) Data Security Standards apply to all members, merchants, and service providers that store, process or transmit credit or debit cardholder data. Additionally, these security requirements apply to all “system components” which is defined as any network component, server, or application included in, or connected to, the cardholder data environment. Network components, include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Servers include, but are not limited to, Web, database, authentication, Domain Name Service (DNS), mail, proxy, and Network Time Protocol (NTP). Applications include all purchased and custom applications, including internal and external (Web) applications.
The following 12 Requirements comprise the Payment Card Industry Data Security Standard (PCI/DSS):
1. Install and maintain a firewall configuration to protect data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect Stored Data
4. Encrypt transmission of cardholder data and sensitive information across public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security