- About Us
- Solutions
- Partners
- Products
- Resources
- Support
- Contact Us
Home Page 
Solutions Regulations PCI
Solutions Regulations PCI
PCI
 |
 |
|
PCI Companies handling sensitive customer financial data are obligated to take measures to protect their customers. PCI DSS is a set of regulations which handles the aspects of protecting customer personal and financial data.
Overview PCI DSS (Payment Card Industry Data Security Standard) was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, hacking and various other security issues. A company processing, storing, or transmitting credit card numbers must be PCI DSS compliant or they risk losing the ability to process credit card payments. Merchants and service providers must validate compliance with an audit by a PCI DSS Qualified Security Assessor (QSA) Company.
Requirements The current version of the standard (1.1) specifies 12 requirements for compliance, organized into 6 logically related groups, which are called "control objectives."
The control objectives and their requirements are: 1. Build and Maintain a Secure Networka. Requirement 1: Install and maintain a firewall configuration to protect cardholder data; b. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. 2. Protect Cardholder Data a. Requirement 3: Protect stored cardholder data; b. Requirement 4: Encrypt transmission of cardholder data across open, public networks. 3. Maintain a Vulnerability Management Program a. Requirement 5: Use and regularly update anti-virus software; b. Requirement 6: Develop and maintain secure systems and applications. 4. Implement Strong Access Control Measures a. Requirement 7: Restrict access to cardholder data by business need-to-know; b. Requirement 8: Assign a unique ID to each person with computer access; c. Requirement 9: Restrict physical access to cardholder data. 5. Regularly Monitor and Test Networks a. Requirement 10: Track and monitor all access to network resources and cardholder data; b. Requirement 11: Regularly test security systems and processes. 6. Maintain an Information Security Policy a. Requirement 12: Maintain a policy that addresses information security.
Background PCI DSS originally began as five different programs: Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program. Each company’s intentions were roughly similar: to create an additional level of protection for customers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. The Payment Card Industry Security Standards Council was formed, and on the 15th of December 2004, these companies aligned their individual policies and created Payment Card Industry Data Security Standard.
In September, 2006, the PCI standard was updated to version 1.1 to provide clarification and minor revisions to version 1.0. Mandates must be implemented by 2010 calling for "new merchants that want to be authorized for payment card transactions will have to be using only PABP-validated applications." These new mandates will help companies achieve Payment Application Best Practice (PABP) compliance, an implementation of PCI DSS in vendor software.
|