PCI DSS compliance refers to compliance with the Payment Card Industry Data Security Standard (PCI DSS), which is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by major card brands. The PCI DSS has 12 requirements, which include:
- Install and maintain a firewall system to protect cardholder data.
- Avoid vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel.
PCI DSS compliance validation involves the evaluation and confirmation that the security controls and procedures have been implemented in accordance with PCI DSS policy. The PCI DSS assessment has several entities, including the assessor, the Qualified Security Assessor (QSA), and the Internal Security Assessor (ISA) . PCI DSS compliance is not easy, but the benefits are worth it.