Payment card industry (PCI) compliance is adherence to a set of specific security standards that were developed to protect card information during and after a financial transaction. PCI compliance is required by all card brands.
There are six main requirements for PCI compliance. The vendor must:
1. Build and maintain a secure network
- Install and maintain a firewall configuration to protect cardholder data.
- Not use vendor-supplied defaults for system passwords and other security parameters.
2. Protect cardholder data
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
3. Maintain a vulnerability management program
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
4. Implement strong access control measures
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
5. Regularly monitor and test networks
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
6. Maintain an information security policy
- Maintain a policy that addresses information security.
Learn why looking at PCI compliance as a checkbox project is not a good idea.