The 12 Requirements of PCI DSS
In the ever-evolving digital landscape, securing payment information has become a point of concern and priority worldwide. To address this critical issue, the Payment Card Industry Data Security Standard (PCI DSS) was established by the Payment Card Industry Security Standards Council (PCI SSC), an alliance of the five major credit card companies: Visa, MasterCard, American Express, Discover, and JCB.
If your business accepts, stores, processes, or transmits cardholder data – regardless of transaction amount and volume – then you’re expected to comply with PCI DSS. The guidelines ensure that a minimum set of security requirements are met in order to protect cardholder data and accommodate emerging payment methods.
To ensure a better understanding of the regulations and help merchants avoid being in violation of the PCI DSS, we have laid out the regulations in the chart below. This chart is your gateway to a deeper understanding of the PCI DSS regulations and the function of each protective regulation.
Regulation Function | Regulation |
Build and Maintain a Secure Network and Systems |
1) Install and maintain a firewall configuration to protect cardholder data. Properly configure a firewall to restrict incoming and outgoing network traffic through rules and criteria configured by your organization. 2) Do not use vendor-supplied defaults for system passwords and other security parameters. Use unique settings since default settings are simple to guess and may even be published online. |
Protect Cardholder Data |
3) Protect stored cardholder data. Ensure all card data is either encrypted using industry-accepted algorithms, truncated, tokenized, or hashed. 4) Encrypt transmission of cardholder data across open, public networks. Always know where card data is sent from and where card data will be received. |
Maintain a Vulnerability Management Program |
5) Use and regularly update anti-virus software or programs. Ensure all systems and devices that staff may use to access the system, both locally and remotely, have an anti-virus software installed on them. 6) Develop and maintain secure systems and applications. Deploy critical patches in a timely manner. |
Implement Strong Access Control Measures |
7) Restrict access to cardholder data on a need-to-know basis. Implement the ability to allow or deny access to cardholder data systems. 8) Assign a unique ID to each person with computer access. Do not use shared or group usernames and passwords. 9) Restrict physical access to cardholder data. Implement video cameras and electronic access to monitor entry and exit doors of physical locations, such as a data center. |
Regularly Monitor and Test Networks |
10) Track and monitor all access to network resources and cardholder data. Ensure all the systems have correct audit policy set and send the logs to centralized syslog server. These logs must be reviewed at least daily to look for anomalies and suspicious activity. 11) Regularly test security systems and processes. Test regularly to ensure security is maintained. |
Maintain an Information Security Policy |
12) Maintain a policy that addresses information security for all personnel. Implement and maintain an information security policy for staff and other relevant parties. Ensure users read and acknowledge the policy yearly. |
While staying compliant may seem dauting, the right vendor can help offload some of the responsibility. Check out this post to learn common ways businesses are in violation and ways vendors like Sertifi can help you stay compliant.
RECOMMENDED GUIDE
Unlock PCI Compliance Mastery
If you’d like to learn more about PCI compliance and how Sertifi can keep your customer’s credit card information secure, take a look at our Hotel PCI Compliance Guide.