1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

What PCI Means

The official set of guidelines and practices known as the Payment Card Industry Data Security Standard began as a series of standards and practices for securing credit card data offered individually by credit card companies. Participating Credit Card Companies included Visa, MasterCard, Discover, American Express and JCB. Each had their own interpretation of security and their own recommended guidelines for keeping information from being compromised.

In December of 2004 these companies finalized the unification of individual programs into one comprehensive standard that is PCI-DSS. This industry-wide standard ensures that providers and payment processors meet minimum standards for securing and protecting cardholder data.

As defined by the PCI-DSS Official Website, the standards that must be adhered to in order to achieve full PCI Compliance are:

Build & Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

Requirement 3: Protect stored cardholder data.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software.

Requirement 6: Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know.

Requirement 8: Assign a unique ID to each person with computer access.

Requirement 9: Restrict physical access to cardholder data.

Regularly Monitor & Test networks

Requirement 10: Track and monitor all access to network resources and cardholder data.

Requirement 11: Regularly test security systems and processes.

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security.

Quarterly Scans & Annual On-Site Audits

In order to be PCI Compliant a company must submit to quarterly scans of their networks and undergo annual on-site audits by Independent Qualified Security Assessors to demonstrate compliance with all aspects of the PCI-DSS. Some companies will claim PCI Compliance just by having quarterly scans, this is not the highest level of PCI Compliance and without independent validation, actual compliance cannot be guaranteed.