The Payment Card Industry (PCI) Security Standards Council was established in 2005 by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc. The primary goal of this council is to protect cardholder information.
The PCI Security Standards Council then created the PCI Data Security Standard which helped to define what was required in the industry. PCI DSS has defined six goals and 12 corresponding requirements that all businesses of any size are required to adhere to when accepting payment cards.
Let's first take a look at an overview of the six goals:
Goal #1: Build and maintain a secure network. If your system has internet access, install and maintain a secure firewall. It is also important to create your own system passwords rather than using those supplied by the vendor. In addition, remember to frequently review your security parameters to ensure cardholder data has maximum protection.
Goal #2: Protect cardholder data. Protect any data that is stored by using passwords wherever possible. Cardholder data must also be encrypted when transmitted across open, public networks.
Goal #3: Maintain a vulnerability management program. Use anti-virus software and be sure that it is regularly updated. Many anti-virus software programs can be set up to automatically remind you to do this periodically. Develop and maintain secure systems and applications.
Goal #4: Implement strong access control measures. Restrict access to cardholder data to a business need-to-know basis. Assign a unique ID to each person with computer access and require them to log in for computer use. Restrict physical access to cardholder data, such as imprint receipts, by placing them in a locked drawer or file cabinet.
Goal #5: Regularly monitor and test networks. Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes.
Goal #6: Maintain an information security policy. Create a company policy that protects information and insures confidentiality, integrity and availability.
