The Requirements for PCI Compliance
Payment Card Industry Data Security Standards (PCI-DSS, or PCI for short) is a set of compliance regulations adopted by major financial institutions such as VISA, Mastercard, American Express and Discover. These regulations govern companies that manage or store customer-identifiable data, such as credit card, bank account and Social Security numbers.
Other People Are Reading
-
What are the Compliance Requirements?
-
PCI-DSS is broken into 12 requirements that govern everything from network configuration and segregation, password and anti-virus policies, encryption and the company's software development lifecycle, if they are developing applications in-house.
Build and Maintain a Secure Network
-
The first two requirements deal with a company's firewall configuration and changing vendor defaults, such as the default passwords, on software the company uses.
-
Protect Cardholder Data
-
Requirements three and four deal with encrypting data where it is stored and encrypting data while it is being transmitted. These are critical requirements and are usually scrutinized by PCI auditors. You need to make sure you have a good encryption policy to cover these two requirements.
Maintain a Vulnerability Management Program
-
Requirements five and six deal with anti-virus maintenance and software development. For the former, you'll need an anti-virus policy, which isn't usually long and can be rolled into the Security Policy in requirement 12. Requirement six is one of the biggest sections of the PCI-DSS audit and should have a documented software development lifecycle. Requirement 6.6 also concerns penetration testing of web applications, which the PCI auditor will need to do before issuing a compliance certificate. There are tools, such as Hailstorm or AppScan, that should satisfy this requirement.
Implement Strong Access Control Measures
-
Requirements seven through nine deal with limiting access to cardholder data to only those with need-to-know responsibilities, assigning a unique identification to each person with access to cardholder data and restricting physical access to the data center where cardholder information is stored. Some companies are able to get around requirement nine by having a PCI-compliant, managed host provider store the data for them.
Regularly Monitor and Test Networks
-
Requirements 10 and 11 deal with logging network access into the cardholder data environment and a regular testing schedule of all systems and processes.
Maintain an Information Security Policy
-
Requirement 12 concerns the security policy, which can and should encompass all of the other 11 requirements of PCI-DSS. This is the biggest piece of documentation that needs to be produced and it's helpful to hire a professional technical writer to do this.
-
