Washington State University

PCI Data Security Standard

  • Share
  • Print

Payment Card Industry Data Security Standard (PCI DSS)

The data security standard includes 12 requirements for any business that stores, processes or transmits payment cardholder data.  These requirements provide the framework for a secure payments environment.  Any merchant of any size must adhere to the standard in order to accept payment cards, and to store, process, and /or transmit cardholder data. 

PCI DSS Requirement

Description of Requirement


Install and maintain a firewall configuration to protect cardholder data


Do not user vendor-supplied defaults for system passwords and other security parameters


Protect stored cardholder data


Encrypt transmission of cardholder data across open, public networks


Protect all systems against malware and regularly update anti-virus software or programs


Develop and maintain secure systems and applications


Restrict access to cardholder data by business need-to-know


Identify and authenticate access to system components


Restrict physical access to cardholder data


Track and monitor all access to cardholder data and network resources


Regularly test security systems and processes


Maintain a policy that addresses information security for all personnel


The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment.  The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process or transmit cardholder or sensitive authentication data.  System components include network devices, servers, computing devices, and applications.  System components include, but are not limited to:

  • Systems that provide security services (e.g. authentication servers), facilitate segmentation (e.g. internal firewalls), or may affect the security of the cardholder data environment (e.g. web redirection servers).
  • Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, and virtual applications/desktops.
  • Network components such as firewalls, switches, routers, wireless access points, network appliances and other data security appliances.
  • Server types, including, web, application, database, authentication, mail, proxy, Network Time Protocol (NTP) and Domain Name System (DNS).
  • Applications including all purchases and custom applications, including internal and external (e.g. internet) applications.
  • Any other component or device locations within or connected to the cardholder data environment (e.g. stand-alone credit card terminal, PC used to enter cardholder data on behalf of the cardholder).

The following links provide information on cardholder data security published by the Payment Card Industry Security Standards Council and the payment card brands.

    E-Commerce, PO Box 641025, Pullman, WA 99164-1025, Contact Us