PCI compliance refers to a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands, and it is administered by the Payment Card Industry Security Standards Council. The PCI DSS has 12 requirements that must be met to achieve compliance, including:
- Install and maintain a firewall system to protect cardholder data.
- Avoid vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel.
PCI compliance is an ongoing process that must be validated annually. Compliance is mandated by credit card companies and discussed in credit card network agreements. Achieving PCI compliance helps prevent security breaches and payment card data theft.
