The Payment Card Industry Security Standards Council (PCI SSC) (the council) is an open global forum, launched in 2006, and is responsible for the development, management, education, and awareness of the actual Payment Card Industry Standards (PCI), including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements. As for the major payment brands (AMEX, VISA, MasterCard, Discover & JCB), they are the council’s founding payment brands and are actively involved in many aspects of the actual PCI security compliance initiatives themselves.
In simpler terms, it’s about ensuring the protection of cardholder data being stored, processess, or transmitted by merchants, service providers, and other affiliated entities. Stop and think about all the organizations that “touch” credit cards, and one can quickly see how widespread the adoption of PCI actually is. Name an industry or business sector, and chances are highly likely – almost certain – that PCI is a large and notable presence, one that requires constant effort and attention.
At a high level, that’s what PCI is – as for the actual PCI DSS requirements – they consist of what’s known as twelve core “requirements” – mandates for protecting cardholder data.
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt the transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security.
Each of the 12 requirements is there for an obvious reason – to provide security measures consisting of various policies, procedures, processes, and practices. From highly technical systems administrators to non-technical end-users, everyone can benefit from the following tips, suggestions and guidelines for the 12 PCI “Requirements.