PCI
DSS Regulations and Compliance
PCI DSS - Payment Card
Industry Data Security Standard
More than 234 million records with
sensitive information have been breached since January
2005, according to Privacy Rights Clearinghouse.org. As
a merchant, you are at the center of payment card
transactions so it is imperative that you use standard
security procedures and technologies to thwart theft of
cardholder data. Merchant-based vulnerabilities may
appear almost anywhere in the card-processing ecosystem
including point-of-sale devices; personal computers or
servers; wireless hotspots or Web shopping applications;
in paper-based storage systems; and unsecured
transmission of cardholder data to service providers.
Vulnerabilities may even extend to
systems operated by service providers and acquirers,
which are the financial institutions that initiate and
maintain the relationships with merchants that accept
payment cards (see diagram on page 5). Compliance with
the Payment Card Industry (PCI) Data Security Standard
(DSS) helps to alleviate these vulnerabilities and
protect cardholder data.
Risky Behavior
A survey of businesses in the U.S. and Europe
reveals activities that may put cardholder data at risk.
- 81% store payment card numbers
- 73% store payment card
expiration dates
- 71% store payment card
verification codes
- 57% store customer data from
the payment card magnetic stripe
- 16% store other personal data
PCI DSS follows common sense steps that mirror best
security practices. The DSS globally applies to all
entities that store, process or transmit cardholder
data. PCI DSS and related security standards are
administered by the PCI Security Standards Council,
which was founded by American Express, Discover
Financial Services, JCB International, MasterCard
Worldwide and Visa Inc. Participating organizations
include merchants, payment card issuing banks,
processors, developers and other vendors.
The PCI Data Security Standard
The PCI DSS version 1.2 is the global data security
standard adopted by the card brands for all
organizations that process, store or transmit cardholder
data. It consists of common sense steps that mirror best
security practices.
|
Goals
|
PCI DSS Requirements
|
|
Build and Maintain a Secure Network
|
1. Install and maintain a
firewall configuration to protect
cardholder data
2. Do not use vendor-supplied
defaults for system passwords and other
security parameters
|
|
Protect Cardholder
Data
|
3. Protect stored cardholder data
4. Encrypt transmission of
cardholder data across open, public
networks
|
|
Maintain a Vulnerability
Management Program
|
5. Use and regularly update
anti-virus software or programs
6. Develop and maintain secure
systems and applications
|
|
Implement Strong Access Control Measures
|
7. Restrict access to cardholder
data by business need-to-know
8. Assign a unique ID to each
person with computer access
9. Restrict physical access to
cardholder data
|
|
Regularly Monitor and
Test Networks
|
10. Track and monitor all access
to network resources and cardholder data
11. Regularly test security
systems and processes
|
|
Maintain an Information Security Policy
|
12. Maintain a policy that
addresses information security for
employees and contractors
|
|
