| The Payment Card Industry (PCI) Data Security | | | | and often used to penetrate systems. |
| Standard is a list of rules that define a set of | | | | Protect Cardholder Data |
| regulations for credit card security over the Internet. | | | | The amount of cardholder data stored should be the |
| It was developed by a group of major credit card | | | | minimum needed to do business; for example, |
| companies in order to standardize the way | | | | truncating the primary account number (PAN) when |
| information should be transmitted and what security | | | | the full number is not needed, and properly disposing |
| features merchants and service providers needed to | | | | of data once it is no longer needed. In addition, |
| implement in order to bill through these credit | | | | transmission and storage of cardholder data must be |
| companies. The PCI Standard went into effect in | | | | encrypted across public networks. |
| 2004. | | | | Maintain a Vulnerability Management Program |
| Prior to the PCI Standard, all credit card companies | | | | New viruses and malware are developed every day, |
| such as Visa and MasterCard had their own standards | | | | and anti-virus software must be kept up-to-date in |
| of data security. For a merchant or service provider | | | | order to mitigate these threats. Software applications |
| to use a major credit company for billing, several | | | | and systems should be updated with the latest |
| different standards had to be conformed to. This | | | | vendor supplied security patches, and further secured |
| became a major hassle for companies trying to keep | | | | through data input validation and anti-hacking |
| up with evolving standards, so representatives from | | | | measures. |
| several major credit companies including Visa, | | | | Implement Strong Access Control MeasuresOnly |
| MasterCard, American Express, Discover, and JCB | | | | employees who require access to data for |
| got together and formed the PCI Security Standards | | | | business-related reasons should be allowed access, |
| Council, which in turn developed the PCI Data | | | | and each individual user must be assigned a unique |
| Security Standard. | | | | identification. Physical access to the servers where |
| It should be noted that the PCI Standard is not a | | | | data is stored must be restricted and secured as |
| government regulation – merchants and service | | | | well, because hardware can easily be stolen, |
| providers cannot be held legally accountable to this | | | | compromised, or otherwise tampered with. |
| standard. What can happen, however, are fines and | | | | Regularly Monitor and Test Networks |
| other business-related action for non-compliance. | | | | All network activity must be monitored to ensure no |
| Service providers, such as third party billing agents, | | | | unauthorized access occurs. If security holes are |
| are required to be fully compliant with the PCI | | | | found, they must be fixed immediately. Systems and |
| Standard because they are responsible for the | | | | processes should be tested regularly to ensure the |
| integrity of client transactions as well as their own. | | | | security of the network. |
| Merchants, on the other hand, process only their own | | | | Maintain an Information Security Policy |
| payments and are held to different levels of | | | | Strict policies regarding information security must be |
| compliance based on the number of transactions | | | | implemented and enforced in order to maintain |
| processed per year. | | | | information security. This includes threat |
| The detailed requirements of the PCI Standard are | | | | assessments, definition of acceptable equipment use, |
| extensive and precise. The main points are separated | | | | data backup systems, and incident response and |
| into twelve basic requirements, spread over six | | | | disaster recovery procedures. |
| categories, each requirement having several | | | | The full text of the PCI Standard can be downloaded |
| sub-requirements. The six main categories are | | | | in Adobe PDF format from the PCI Security |
| summarized below: | | | | Standards Council website. |
| Build and Maintain a Secure Network | | | | To find out whether a particular company is |
| Appropriate firewall and access control measures | | | | compliant with the PCI Standard, anyone can contact |
| must be implemented to secure data transmissions | | | | one of the five major credit companies directly, or |
| and protect cardholder information. Vendor-supplied | | | | visit Visa's website to view a list of |
| defaults for passwords and other security features | | | | currently-compliant companies. |
| should not be used, as these are commonly known | | | | |