12 Requirements of PCI Data Security Standards
Cardholder data theft has become an issue all merchants must face. As a result of several high profile incidents over the past few years (i.e., Card Systems & TJX), the Card Associations (Visa, MasterCard, American Express, Discover) were forced to devise data security standards for merchants that process transactions through their networks. The PCI Data Security Standards (PCI DSS for short) were promulgated in September 2006 and represent a combined effort of all the major card brands, like Visa, Mastercard, & American Express, to provide uniform data security standards and requirements. PCI DSS affects any merchant that stores, processes, or transmits cardholder data. That means ALL merchants are affected.
So how do you comply? The first step is to develop written policies, procedures and protocols that address the 12 core requirements of PCI DSS and then validate your compliance based on the merchant category you are in.
The 12 core requirements of PCI DSS are:
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security passwords
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes, AND
12. Maintain a policy that addresses information security
Some of these requirements will need to be provided to you by your web hosting company and others will need to be provided by your shopping cart vendor.