The 12 requirements of PCI DSS compliance are the rules that merchants and service providers must follow in order to safeguard payment data. The main goal of these rules is to ensure that companies keep customer information secure, even in the event of a security breach, by protecting cardholder data at every step.
PCI DSS requirements basically state that all companies who store, process or transmit credit card information must secure their systems against data breaches. Here is a quick summary of each requirement:
- Install and maintain a firewall configuration to protect cardholder data
The first PCI DSS compliance requirement is to install and maintain a firewall configuration to protect cardholder data. For example, cardholder data must be blocked from unauthorized internal and external access, such as WiFi networks.
- Do not use vendor-supplied defaults for system passwords and other security parameters
The second PCI compliance requirement is to secure all individual systems that store, process or transmit cardholder data against any unauthorized access – whether it's a default password or a vulnerability.
- Protect stored cardholder data
The third PCI compliance requirement mandates that you should protect all stored cardholder data. While this one may seem obvious, it's critical to know what constitutes stored cardholder data because deleting credit card information from a hard drive is often not enough – the information could have been stolen well before then.
- Encrypt transmission of cardholder data across open, public networks
The fourth PCI compliance requirement is to encrypt transmission of cardholder data over any open, public network using strong cryptography. The key here is that the encryption and decryption process must not be made visible to the public (you should use a private key).
- Use and regularly update anti-virus software
The fifth PCI DSS requirement states that you must use and maintain an antivirus program on all systems commonly affected by malware – especially POS terminals. The program must be capable of detecting malicious activity associated with known types of malware, as well as any zero day attacks that have not yet been identified.
- Develop and maintain secure systems and applications
The sixth PCI compliance requirement is to develop and maintain all system components (software, system architecture, etc.) according to security specifications (that you will document), including any third-party products that are integrated into your network. This means using strong coding techniques; reducing the number of unnecessary functions in custom-developed software, etc.
- Restrict access to cardholder data by business need-to-know
The seventh PCI requirement mandates that you should limit access to any system component or cardholder data to only those who really need it. This rule applies to physical devices as well as virtual ones (servers).
- Assign a unique ID to each person with computer access
The eighth PCI compliance component requires you to assign a unique ID to any personnel that have computer access – both temporary and permanent. All IDs should be verified before granting them full level of privileges for your systems.
- Restrict physical access to cardholder data
The ninth PCI compliance rule states that you must limit physical access to your cardholder data environment (your office) according to the needs. This means having secure locks on all doors, alarm systems and cameras as well as limiting employee access during non-business hours.
- Track and monitor all access to network resources and cardholder data
The final PCI requirement is to track and monitor all access to network resources and cardholder data. This includes keeping audit trails for at least six months, as well as protecting these logs from unauthorized deletion.
The PCI Security Standards Council also mentions the following six best practices every company should follow:
- Perform a periodic risk assessment of your payment system
- Use and maintain a firewall configuration to protect cardholder data
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Track and monitor all access to network resources and cardholder data
Finally, keep in mind that the PCI DSS compliance does not cover every aspect of cyber security. In fact, Visa itself encourages merchants to follow "the spirit" of the PCI requirements to keep their information secure.