PCI/DSS Security

The PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. It was created by the major credit card companies (Visa, Mastercard, American Express, Discover, etc.) and is administered by the Payment Card Industry Security Standards Council.  

The PCI DSS has 12 main requirements and over 300 sub-requirements that fall into 6 categories:  
  1. Build and Maintain a Secure Network and Systems: This includes installing and maintaining firewalls, changing vendor-supplied defaults, and protecting stored cardholder data.  
  2. Protect Cardholder Data: This involves protecting stored data and encrypting transmission of cardholder data across open, public networks.  
  3. Maintain a Vulnerability Management Program: This includes using and regularly updating anti-virus software and developing and maintaining secure systems and applications.  
  4. Implement Strong Access Control Measures: This involves restricting access to cardholder data by business need-to-know, assigning a unique ID to each person with computer access, and restricting physical access to cardholder data.  
  5. Regularly Monitor and Test Networks: This includes tracking and monitoring all access to network resources and cardholder data and regularly testing security systems and processes.  
  6. Maintain an Information Security Policy: This involves maintaining a policy that addresses information security for all personnel.  

Compliance with PCI DSS is mandatory for all organizations that handle cardholder data. Validation of compliance is performed annually or quarterly, depending on the volume of transactions, and can involve self-assessment questionnaires or audits by qualified security assessors.  

The goal of PCI DSS is to protect cardholder data and reduce credit card fraud by ensuring that companies that interact with credit cards maintain a secure environment.

By adhering to the PCI DSS requirements, organizations can help to ensure the safety of their customers’ sensitive information.

March 29th, 2024 by