Identity theft and data security have become worldwide concerns for both consumers and businesses. The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including Visa® Inc., MasterCard® Worldwide, American Express®, Discover® Financial Services and JCB International to facilitate the broad adoption of consistent data security measures on a global basis.
All merchants, whether small or large, that process, store or transmit cardholder data must adhere to the following requirements for PCI DSS compliance:
Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect data.
- Avoid using vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
- Protect stored data.
- Encrypt transmission of cardholder data and sensitive information across public networks.
Maintain a Vulnerability Management Program
- Use and regularly update antivirus software.
- Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
- Restrict access to data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
Regularly Monitor and Test
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
Maintain an Information Security Policy
- Maintain a policy that addresses information security.
Some of the standards above may not be applicable to all processing environments.
PCI DSS compliance does not guarantee that a security breach will never occur, but it does greatly minimize the chance of a successful breach occurring. If your business is validated as compliant at the time of a breach, the payment networks may give you safe harbor from fines.