Payment Card Industry (PCI) Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.
Is PCI a law? No. It is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). Enforcement of compliance is done by organizations processing transactions (i.e. Visa, Mastercard, American Express etc.).
PCI DSS Requirements (Wikipedia)
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software on all systems commonly affected by malware
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
Resources:
- PCI Security Standards Council
- PCI DSS Requirements (Wikipedia)