PCI DSS is a comprehensive standards framework defined by the Payment Card Industry Security Standards Council to protect the security pf payment card data security. PCI DSS activities include formal definition of prevention, detection and incident response protocols and controls.
Merchants who process payment cards must self-assess and attest that their information security environment conforms to the requirements of the standard. Merchants are subject to quarterly external technical scans by a Qualified Security Assessor (QSA), as well as an annual validation of adherence to the standard.
At a high level, the major requirements of PCI DSS include:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update antivirus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
Any organization that processes, stores or transmits credit card information is expected to conform to the standard.
Do you need help with a strategy to comply with PCI-DSS? CyberSafe 360 can help.