There are 12 requirements of all organizations that process, store or transmit credit card data. All of them are common sense security measures that focus on attention to detail and risk management.
1. Install and
maintain a firewall configuration to protect cardholder data.
Have a firewall configuration policy that protects
cardholder data and build a plan for testing it.
2. Do not use vendor-supplied defaults for
system passwords and other security parameters.
3. Protect stored
This means not storing full credit card numbers anywhere –
even outside of your computer system.
transmission of cardholder data and sensitive information across open, public
The breaches you’ve heard about recently to several large
retailers occurred because they were not using point-to-point encrypted
5. Use and regularly
update anti-virus software or programs.
Malicious software, commonly referred to as “malware”,
refers to viruses, worms, and Trojans. They enter a network during many
business-approved activities including employee e-mail and use of the Internet,
mobile computers, and storage devices. Anti-virus software must be used on all
systems commonly affected by malware, and the anti-virus software needs to be
updated regularly to avoid attack by new forms of malicious software.
6. Develop and
maintain secure systems and applications.
Keep up to date with new security vulnerabilities that may
impact your environment. Sources for information often include vendor websites,
industry news groups, and mailing lists. Once you identify a vulnerability that
could affect your environment, evaluate and rank the risk imposed by that
vulnerability. This will allow you to prioritize and address the highest risk
items more quickly and reduce the likelihood that vulnerabilities posing the
greatest risk will be exploited.
7. Restrict access to
cardholder data by business need-to-know.
Have systems and processes in place to limit access based on
need to know and according to job responsibilities. “Need to know” is when
access rights are granted to only the least amount of data and privileges needed
to perform a job.
8. Assign a unique ID
to each person with computer access.
Assigning a unique ID to each person ensures that each
individual is uniquely accountable for their actions. This allows you to trace
actions taken on critical data and systems to known and authorized users and
processes. This requirement applies to all accounts, including point-of-sale
accounts, all accounts used to view or access cardholder data or to access
systems with cardholder data, and accounts used by vendors and other third
parties (for example, for support or maintenance).
9. Restrict physical
access to cardholder data.
Physical access to data or systems that store cardholder
data provides the opportunity for individuals to remove systems, electronic
media or hard copies containing cardholder data, and should be appropriately
restricted. This applies to full-time and part-time employees, temporary
employees, contractors and consultants who are physically present on the
premises. It also applies to a vendor, guest, service workers, or anyone who
needs to enter the facility for a short duration.
10. Track and monitor
all access to network resources and cardholder data.
Logging and the ability to track user activities are
critical in preventing, detecting, or minimizing the impact of a data
compromise. The presence of logs in all environments allows thorough tracking,
alerting, and analysis when something does go wrong. Determining the cause of a
compromise is very difficult, if not impossible, without system activity logs.
This requirement means that you must restrict access to the logs (to prevent
altering them), and the logs must be reviewed regularly.
11. Regularly test
security systems and processes.
Malicious individuals continually discover vulnerabilities
that can be introduced by new software. System components, processes, and
custom software should be tested frequently to ensure security controls
continue to reflect a changing environment. You should have policies and
procedures to detect and identify both authorized and unauthorized wireless
access points. Unauthorized wireless devices may be hidden within or attached
to a computer or other system component, or be attached directly to a network
port or device, such as a switch or router. Such unauthorized devices could
result in an unauthorized access point into the environment.
12. Maintain a policy
that addresses information security for employees and contractors.
A strong security policy sets the security tone for the
whole company and informs personnel what is expected of them. PCI training is a
must. You should have a formal training program on what they have to do to
ensure they are handling credit card data in a manner that supports the PCI
requirements. The training program should apply to full-time and part-time
employees, temporary employees, contractors and consultants who are “resident”
at the company’s site or who otherwise have access to the cardholder data
Copyright Jenkins Business Forms. All Rights Reserved. eCommerce Software by 3dcart.