Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information
security standard assembled by the Payment Card Industry Security Standards
Council. The standard was created to help organizations that process card
payments prevent credit card fraud through increased controls around data
and its exposure to compromise. The standard applies to all organizations
which hold, process, or pass cardholder information from any card branded
with the logo of one of the card brands of the organizations members.
There are 12 requirements for compliance organized into 6 logically related
groups as follows.
Objectives & PCI DSS Requirements
and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
a vulnerability Management Program
5. Use and regularly update anti-virus software on all systems commonly affected
6. Develop and maintain secure systems and applications
Strong Access Control Measures
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data
Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
an Information Security Policy
12. Maintain a policy that addresses information security.
and enforcing an "Imprinted Sales Slip
or Printed Receipt Security Policy" governing the storage of imprinted
cardholder data and limiting access to that data is an important control.
It is also important that the policy contain a provision for the regular purging
and secure disposal of this data after its period of usefulness for processing
a sale or responding to a chargeback inquiry has passed.
back to troubleshooting menu