What is the purpose of PCI DSS?
The primary goal of PCI DSS is to safeguard and optimize the security of sensitive cardholder data, such as credit card numbers, expiration dates and security codes. The standard's security controls help businesses minimize the risk of data breaches, fraud and identity theft.
Compliance with PCI DSS also ensures that businesses adhere to industry best practices when processing, storing and transmitting credit card data. In turn, PCI DSS compliance fosters trust among customers and stakeholders.
What are the 6 principles of PCI DSS?
The PCI Security Standards Council (PCI SSC) has created six major goals for PCI DSS:
- Build and maintain a secure network and systems. Credit card transactions must be conducted in a secure network. The security infrastructure should include firewalls that are strong and complex enough to be effective without causing inconvenience to cardholders or vendors. Specialized firewalls are available for wireless local area networks, which are highly vulnerable to eavesdropping and malicious attacks. Vendor-provided authentication data, such as personal identification numbers and passwords, should not be used on an ongoing basis.
- Protect cardholder data. Organizations adhering to PCI DSS must protect cardholder information wherever it's stored. Repositories with vital data, such as birthdates, mothers' maiden names, Social Security numbers, phone numbers and mailing addresses, must be secure. The transmission of cardholder data through public networks must be encrypted.
- Maintain a vulnerability management program. Card services organizations must institute risk assessment and vulnerability management programs that protect their systems from the activities of malicious hackers, such as spyware and malware. All applications should be free of bugs and vulnerabilities that might enable exploits in which cardholder data could be stolen or altered. Software and operating systems must be regularly updated and patched.
- Implement strong access control measures. Access to system information and operations should be restricted and controlled. Every person who uses a computer in the system must be assigned a unique and confidential identification name or number. Cardholder data should be protected physically, as well as electronically. Physical protection can include the use of document shredders, limits on document duplication, locks on dumpsters and security measures at the point of sale.
- Regularly monitor and test networks. Networks must be regularly monitored and tested to ensure security measures are in place, functioning properly and up to date. For example, antivirus and antispyware programs should be provided with the latest definitions and signatures. These programs frequently scan all exchanged data, applications, RAM and storage media.
- Maintain an information security policy. A formal information security policy must be defined, maintained and followed by all participating entities. Enforcement measures, such as audits and penalties for noncompliance, might be necessary.
What are the requirements of PCI DSS?
PCI SSC includes specific requirements in each of the six PCI DSS goals. Organizations that want to be PCI DSS-compliant must meet these 12 requirements:
- Install and maintain a firewall to protect cardholder data environments.
- Don't use vendor-supplied default passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt payment card data transmitted across open, public networks.
- Use and regularly update antivirus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data to employees with a business need because their jobs require access..
