The Payment Card Industry Data Security Standard (PCI-DSS) is a set of 12 requirements established by the major credit card companies to protect cardholder data. It was created to ensure that companies that process, store, and transmit credit card information utilises secure systems and processes.
If you are a business that processes credit cards, you must comply with PCI-DSS standards in order to accept card payments. Here are the 12 requirements of the standard:
1. Install and Maintain a Firewall
A firewall is a system that monitors incoming and outgoing network traffic and blocks malicious activity. It is important to install a firewall and keep it updated in order to protect your network from cyber-attacks.
2. Protect Cardholder Data
Cardholder data must be encrypted and securely stored. Access to the data must be restricted to only those with legitimate business needs.
3. Maintain a Vulnerability Management Program
Businesses must regularly scan their networks for any vulnerabilities and patch them immediately.
4. Establish Strong Access Control Measures
Strong access control measures must be in place to ensure that only authorised individuals can access cardholder data. This includes user authentication, access control systems, and physical security.
5. Monitor and Test Networks
Businesses must regularly monitor and test their networks to identify any potential security issues.
6. Maintain an Information Security Policy
Businesses must have an information security policy that outlines the processes and procedures to protect cardholder data.
7. Implement Regularly Scheduled Assessments
Businesses must conduct regular assessments to ensure that their security systems are effective and up to date.
8. Restrict Access to Cardholder Data
Businesses must restrict access to cardholder data to only those with legitimate business needs.
9. Identify and Authenticate Access to Cardholder Data
Businesses must use two-factor authentication for any user who has access to cardholder data.
10. Restrict Physical Access
Businesses must ensure that cardholder data is physically secure, meaning that access to the data must be restricted to only those with legitimate business needs.
11. Maintain a Logging and Monitoring Program
Businesses must keep accurate logs of all user activity related to cardholder data. This includes the time of access, the user who accessed the data, and the action taken.
12. Regularly Test Security Systems
Businesses must regularly test their security systems to ensure that they are working properly and that no unauthorised access is taking place.
Following the 12 requirements of the PCI-DSS standard is essential for businesses that process credit cards. It is important to ensure that cardholder data is always protected and secure.