The Payment Card Industry (PCI) Data Security Standard (DSS) are a set of security standards created by credit card companies (Visa International, Mastercard, Discover Financial Services, JCB, and American Express) to protect sensitive customer data that you may hold in your online databases.
The PCI standard asks merchants and service providers to meet minimum standards of security when storing, processing and transmitting this customer data. This is also known as PCI compliance.
Non PCI compliance penalties vary among major credit card networks and can be substantial. For example, companies can be barred from processing credit card transactions, can incur higher processing fees and even be fined heavily (e.g., up to $500,000).
What Must You Do to be PCI Compliant?
PCI compliance requires annual and/or quarterly assessments depending upon the nature of your business and the volumes of transactions that you process. There are a number of minimum requirements and these include six categories as stated by the standard:
Build and Maintain a Secure Network and Systems
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Identify and authenticate access to system components
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for all personnel
These requirements mean that merchants and companies that need to maintain a portfolio of products to help them report on each category and ensure PCI compliance. No one product helps on reporting compliance in all areas.
Acunetix WVS and Acunetix SiteAudit will help you with Requirement 6 – Developing and maintaining secure systems and applications. To read more about PCI compliance read our white paper.
For more information, email us at firstname.lastname@example.org.