Payment Card Industry Data Security Standard (PCI DSS)
The data security standard includes 12 requirements for any business that stores, processes or transmits payment cardholder data. These requirements provide the framework for a secure payments environment. Any merchant of any size must adhere to the standard in order to accept payment cards, and to store, process, and /or transmit cardholder data.
|
PCI DSS Requirement |
Description of Requirement |
|
1 |
Install and maintain a firewall configuration to protect cardholder data |
|
2 |
Do not user vendor-supplied defaults for system passwords and other security parameters |
|
3 |
Protect stored cardholder data |
|
4 |
Encrypt transmission of cardholder data across open, public networks |
|
5 |
Protect all systems against malware and regularly update anti-virus software or programs |
|
6 |
Develop and maintain secure systems and applications |
|
7 |
Restrict access to cardholder data by business need-to-know |
|
8 |
Identify and authenticate access to system components |
|
9 |
Restrict physical access to cardholder data |
|
10 |
Track and monitor all access to cardholder data and network resources |
|
11 |
Regularly test security systems and processes |
|
12 |
Maintain a policy that addresses information security for all personnel |
The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process or transmit cardholder or sensitive authentication data. System components include network devices, servers, computing devices, and applications. System components include, but are not limited to:
- Systems that provide security services (e.g. authentication servers), facilitate segmentation (e.g. internal firewalls), or may affect the security of the cardholder data environment (e.g. web redirection servers).
- Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, and virtual applications/desktops.
- Network components such as firewalls, switches, routers, wireless access points, network appliances and other data security appliances.
- Server types, including, web, application, database, authentication, mail, proxy, Network Time Protocol (NTP) and Domain Name System (DNS).
- Applications including all purchases and custom applications, including internal and external (e.g. internet) applications.
- Any other component or device locations within or connected to the cardholder data environment (e.g. stand-alone credit card terminal, PC used to enter cardholder data on behalf of the cardholder).
The following links provide information on cardholder data security published by the Payment Card Industry Security Standards Council and the payment card brands.
- Payment Card Industry Data Security Standards (PCI-DSS)
- PCI-DSS Quick Reference Guide
- Visa U.S.A Cardholder Information Security (CISP) Program
- Mastercard International Site Data Protection (DSP) Program
- American Express Data Security Standards (DSS)
- Discover Information Security and Compliance (DISC) Program
- PCI Glossary of Terms