What are the 12 requirements of PCI DSS Compliance?

 To achieve PCI DSS compliance, you must meet 12 primary requirements and several secondary requirements. If you fail to meet any one of the primary or secondary standards, your compliance with the standard may be considered insufficient by an assessor and result in a failed PCI audit.

This article lists all 12 of the primary PCI DSS requirements:

1) Install and maintain a firewall configuration to protect cardholder data: All systems must be protected from unauthorized access originating from the Internet by configuring firewalls, routers, and switches to only allow access from authorized IP addresses and block all unauthorized traffic.

2) Do not use vendor-supplied defaults for system passwords and other security parameters: Administrators should be using secure passwords as defaults on systems are well known. Administrators should ensure that no administrative accounts have obvious names or titles, such as “admin” or “administrator.”

3) Protect stored cardholder data: All systems that store, process, or transmit credit card information need to have reasonable security measures in place to protect the data from unauthorized access by design and default, including application layer security measures. This requirement does not apply to any system that lacks network connection.

4) Encrypt transmission of cardholder data across open, public networks: All connections to a merchant or service provider must be encrypted. Public networks are defined as those using the Internet, wireless technologies and unencrypted Frame Relay connections.

5) Use and regularly update anti-virus software on all systems commonly affected by malware: Network nodes, such as workstations and servers, need to have anti-virus protection installed and the virus definitions updated at least weekly.

6) Develop and maintain secure systems and applications: All custom software must adhere to coding standards outlined in PCI DSS Requirement 6.3. The payment application may not be hosted on the merchant’s web site.

7) Restrict access to cardholder data by business need-to-know: Merchants and service providers must ensure that only authorized individuals have access to the systems storing credit card data, and that those who do have access are restricted based on their job function or other restrictions.

8) Assign a unique ID to each person with computer access: This requirement deals with the need to have a unique user ID for each person who can access the company’s systems, which limits damage done if one system is breached.

9) Restrict physical access to cardholder data: Merchants and service providers must secure all systems containing credit card data physically using methods such as locks, passkeys, or guards to protect from theft or tampering.

10) Implement an intrusion detection program: Merchants and service providers must have a program in place to monitor system security on a continuous basis for unauthorized access attempts.

11) Regularly test security systems and processes: All merchants and services providers must use external, independent auditors to conduct regular assessments to validate compliance with PCI DSS compliance requirements.

12) Maintain a policy that addresses information security for all personnel: All employees must be made aware of the importance of adhering to security policies and procedures and committing to uphold them.

These are  essential steps towards meeting the security standards enforced by the PCI-DSS, however these are not all of the steps that should be taken. Every business will need to implement new rules and procedures based on their own specific needs.

Many companies have had great success by hiring an outside firm to perform a thorough audit of all access points into their systems. The expert consultants can explain current security holes in the business’s security infrastructure that are currently unknown to the client.

PCI-DSS is an ongoing process, not a one-time passing grade. Every company must remain educated about their own personal vulnerabilities and how they are affected by changes in technology. PCI-DSS does not provide a set of strict rules that must be followed to the letter. Rather, it is a list of guidelines for businesses to follow to ensure their security and protection from hackers and other criminal activity.

Comments

Post a Comment

Popular posts from this blog

How To Sell Merchant Services As An ISO 

The payment processing industry is now a very competitive and demanding industry. It is now attracting many talented people to work here. If you want to get into this industry then you should start with your independent sales organization (ISO). If you want to sell merchant services as an ISO then here are some tips for you.  Start a business You should first start your business by completing all the legal procedures and paper works. You have to hire a lawyer to do all this paper works. It takes a long time to set up a business and get everything in place.  Registered or independent ISO After setting up the business you should determine whether you want to be a registered ISO or an independent one. If you don’t want much trouble then you can choose the independent ISO option. These ISO work for the large registered ISOs. So, you will be getting your share of the charges after customers make transactions; however, the customers will be using the services through the registered...
Read more

7 reasons why mobile POS is the best option for retailers

  POS is ideal for supermarkets, restaurants, hotels, and hospitals to provide better services for customers. With mobile technologies are advancing day by day, retail stores should consider installing POS on their devices. This is because a mobile POS provides opportunities for growing sales in the markets. Moreover, it gives ways to manage a business from anywhere without any hassles.  Here are some reasons why many retailers prefer mobile POS for their business. 1. Enhanced customer service  Mobile point of sale contributes more to enhance the customer service with high success rates. It contributes more to share positive experiences with mobile networks enabling retail stores to accomplish goals significantly. Another thing is that retail stores can know the buying pattern of customers that will help improve sales.                          ...
Read more