What is PCI Compliance
PCI compliance, or PCU DSS stands for Payment Card Industry Data Security Standard. It is a set of requirements to make sure all the companies that process, store and transmit credit card information maintain in a secure environment. The PCI Security Standards Council (PCI SSC), created by Visa, Mastercard, JCB, Amex and Discover, manages the PCI DSS. PCI DSS was launched on September 7, 2006.
Requirements for PCI Compliance
- Firewalls
Firewall is effective in blocking unauthorized access which attempt to access private data. It is the first line of defences against hackers.
- Password Protections
All devices and software are required to be password protected. Basic precautions and configurations such as changing the password every month should also be enforced.
- Cardholder Data Protection
Cardholder data must be encrypted using algorithms. The encryptions will then put into place with encryption keys which also required to be encrypted for PCI compliance. Maintenance and scanning of Primary Account Number (Pan) should be done regularly to ensure all data are encrypted.
- Encrypt Transmitted Data
Cardholder Data will be sent across different channels and it should be encrypted whenever it is being sent to these known locations to protect the data. No data should be sent to unknown locations.
- Antivirus
Antivirus is required to be installed for all devices that interact or store the primary account number. Antivirus software need to be updated regularly.
- Software update
All software on devices that interact with cardholder data should update regularly.
7. Restrict data access
Sensitive data should be well-documented and update regularly and keep away from parties that do not need the access.
8. Unique ID access
Login to encrypted data should be unique and not duplicated or share.
9. Restrict physical access
Cardholder data must physically keep in secure location and access should be limited.
- Create and maintain access logs
Log entry for all cardholder data activities need to be created and maintain.
- Scan and test for vulnerabilities
Regular scans and vulnerability test should be conducted to eliminate threats or errors.
12. Document Policies
Inventory of equipment, software and employees that have access to cardholder data need to be documented for compliance.
