PCI DSS Compliance

The Payment Card Industry Security Standards Council (PCI SSC) was formed September 7, 2006 by five of the most prestigious financial service institutions: Visa International, MasterCard Worldwide, JCB, Discover Financial Services, and American Express. The council manage the evolution of security standards known as the PCI Data Security Standard (PCI DSS) for businesses to measure their own security policies, procedures, and guidelines against.

The PCI DSS began as five separate programs: VISA Cardholder Information Security Program, MasterCard Site Data Protection, JCB Data Security Program, Discover Information Security and Compliance (DISC), and American Express Security Operating Policy. The goals of these programs were aligned with protecting card issuers by ensuring merchants meet minimum levels of security when they store, process and transmit cardholder data.

If you are a merchant that accepts any payment cards such as but not limited to credit, debit, pre-paid, e-purse, ATM or POS, then you are required to be compliant with the PCI Data Security Standard. Your exact compliance requirements can be obtained from your payment brand or acquirer.

General Steps to PCI DSS Compliance

There are three steps in part as an on-going process for adhering to the PCI DSS:

  1. Assess

    Identify cardholder data, take an inventory of your IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose cardholder data.

  2. Remediate

    Fix vulnerabilities and do not store cardholder data unless you need it.

  3. Report

    Compile and submit required remediation validation records (if applicable), and submit compliance reports to the acquiring bank and card brands you do business with.

The 12 Requirements of PCI DSS Compliance

As of January 1, 2012, all assessments must be conducted against version 2.0 of the standard which further clarify the twelve requirements for compliance:

    Build and Maintain a Secure Network

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect Cardholder Data

  4. Protect stored cardholder data
  5. Encrypt transmission of cardholder data across open, public networks
  6. Maintain a Vulnerability Management Program

  7. Use and regularly update anti-virus software
  8. Develop and maintain secure systems and applications
  9. Implement Strong Access Control Measures

  10. Restrict access to cardholder data by business need-to-know
  11. Assign a unique ID to each person with computer access
  12. Restrict physical access to cardholder data
  13. Regularly Monitor and Test Networks

  14. Track and monitor all access to network resources and cardholder data
  15. Regularly test security systems and processes
  16. Maintain an Information Security Policy

  17. Maintain a policy that addresses information security

To learn more about PCI DSS Compliance:

We're here for you.
Contact Us.