| The Payment Card Industry Data Security Standard | | | | 12. Maintain a policy that addresses information |
| (PCI DSS) is a protocol set up by the major credit | | | | security |
| card companies to help protect against security | | | | The object of the PCI Data Security Standard is to |
| threats when payment cards are processed. The | | | | compel merchants to implement the necessary |
| major credit card companies formed the PCI Security | | | | measures to protect cardholder information from |
| Standards Council to create a set of minimum | | | | hackers and con artists. That way, cardholders do |
| standards for merchants who store, process and | | | | not have to worry that when they pay for |
| transmit cardholder data. A number of high profile | | | | something in a retail store or online they may be |
| breaches of cardholder information at the merchant | | | | inadvertently supplying con artists with the |
| level inspired the implementation of the PCI DSS. | | | | information they need to steal their identities and |
| Now, merchants of all sizes are required to be PCI | | | | bring devastation to their credit report. Obtaining PCI |
| compliant in order to handle payment card | | | | compliance is not always easy for small merchants, |
| transactions. The different payment brands all | | | | but establishing and enforcing these standards can |
| enforce the standards. The standards (version 1.1) | | | | help prevent some identity theft horror stories. |
| are broken up into 6 principles and requirements for | | | | PCI compliance is assessed on an annual basis. Small |
| achieving each principle: | | | | companies can self-assess their compliance through a |
| Build and Maintain a Secure Network | | | | questionnaire and provide supporting documentation |
| 1. Install and maintain a firewall configuration to | | | | to their acquiring bank. Larger companies that handle |
| protect cardholder data | | | | more cardholder transactions are evaluated by |
| 2. Do not use vendor-supplied defaults for system | | | | Qualified Security Assessors (QSAs). Updates to the |
| passwords and other security parameters | | | | standards are issued periodically as criminals become |
| Protect Cardholder Data | | | | more cunning and more ways to protect consumers |
| 3. Protect stored cardholder data | | | | are discovered. |
| 4. Encrypt transmission of cardholder data across | | | | In order to obtain PCI compliance through |
| open, public networks | | | | self-assessment, a merchant must have a PCI SSC |
| Maintain a Vulnerability Management Program | | | | Approved Scanning Vendor (ASV) perform a |
| 5. Use and regularly update anti-virus software | | | | vulnerability scan and provide evidence of a passing |
| 6. Develop and maintain secure systems and | | | | report. HackerGuardian from Comodo provides |
| applications | | | | several levels of PCI Scan Compliancy for merchants |
| Implement Strong Access Control Measures | | | | of all sizes. A PCI Free Scan Compliancy is also |
| 7. Restrict access to cardholder data by business | | | | offered. The various services are differentiated by |
| need-to-know | | | | how many scans can be performed on how many IP |
| 8. Assign a unique ID to each person with computer | | | | addresses as well as additional features available in |
| access | | | | the upgraded services. Comodo’s Painless PCI |
| 9. Restrict physical access to cardholder data | | | | program guides you though the compliance process |
| Regularly Monitor and Test Networks | | | | using a free web-based wizard that takes you |
| 10. Track and monitor all access to network | | | | through each step. This program takes all of the |
| resources and cardholder data | | | | guesswork out of getting your business to be PCI |
| 11. Regularly test security systems and processes | | | | compliant. |
| Maintain an Information Security Policy | | | | |