What is PCI-DSS?
The payment card industry data security standard (simply known as PCI-DSS) is a set of regulations formed by major payment card brands (such as VISA, MasterCard, AmEx, Discover, etc.). There are 12 general security requirements, and sub requirements within each, that every merchant that receives payment card information needs to follow. There are 4 levels of compliance – which level you have to comply with depends on the number of transactions per year your organization processes. The 12 main PCI-DSS requirements are below:
Do I have to comply with PCI-DSS?
Pick a payment provider that handles payments securely and complies with level 1 PCI-DSS standards. If you handle the payments and transmit/store any data, you have standards to consider complying with under PCI-DSS.
What if I don't meet PCI compliance?
Being out of compliance can lead to serious security events that could cost your organization valuable client data, and have serious financial implications (both fines and loss of revenue). To avoid the risk of data breaches that could highly damage your brand – comply with these regulations.
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or program
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel