PCI Data Security Standard

Personal and financial data entrusted to retailers, banks, service providers, and credit card companies is at even greater risk of theft or abuse. As a result of major data security breaches, the payment card industry developed separate security initiatives which they required member institutions to adopt.

In September 2006, American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International formed an independent council, the PCI Security Standards Council (PCI SSC). The PCI SSC has the mission to enhance payment account data security by fostering the broad adoption of the Payment Card Industry Data Security Standard (PCI DSS) which is a unified and comprehensive data security standard.

PCI DSS

Build and Maintain a Secure Network

Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

Protect stored cardholder data.
Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

Use and regularly update anti-virus software.
Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

Restrict access to cardholder data by business need-to-know.
Assign a unique ID to each person with computer access.
Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

Track and monitor all access to network resources and cardholder data.
Regularly test security systems and processes.

Maintain an Information Security Policy

Maintain a policy that addresses information security.

Version 1.1 of the PCI DSS was released in September, 2006 and defines 6 control objectives made up of 12 requirements that establish common processes and precautions for handling, processing, storing, and transmitting credit card data.