If your business client accepts credit or debit card payments, it’s subject to the Payment Card Industry Data Security Standards (PCI DSS), which consists of a set of industry tools and measurements to assist in the safe handling of sensitive information. Complying with PCI DSS requirements can be very complicated. To make it a bit easier, here’s a checklist that breaks down the twelve general requirements.
___ Build and maintain a secure network:
__ Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
__ Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
___ Protect cardholder data:
__ Requirement 3: Protect stored cardholder data.
__ Requirement 4: Encrypt transmission of cardholder data across open, public networks.
___ Maintain a vulnerability management program:
__ Requirement 5: Use and regularly update anti-virus software.
__ Requirement 6: Develop and maintain secure systems and applications.
___ Implement strong access control measures:
__ Requirement 7: Restrict access to cardholder data by business need-to-know.
__ Requirement 8: Assign a unique ID to each person with computer access.
__ Requirement 9: Restrict physical access to cardholder data.
___ Regularly monitor and test networks:
__ Requirement 10: Track and monitor all access to network resources and cardholder data.
__ Requirement 11: Regularly test security systems and processes.
___ Maintain an information security policy:
__ Requirement 12: Maintain a policy that addresses information security for employees and contractors.
To be compliant with the PCI DSS, a business must satisfy all of these general requirements. To assist in compliance, the PCI Security Standards Counsel has released a set of risk assessment guidelines (PDF). The PCI Security Standards Counsel has also promulgated security guidelines for mobile software developers and manufacturers (PDF), as well as guidance for secure mobile payment acceptance by merchants (PDF).
For more on financial data privacy requirements, turn to CEB’s Privacy Compliance and Litigation in California, chap 6.
Other CEBblog™ posts you may find interesting:
- Keep It Secure: 7 Crucial Steps to an Information Security Plan
- Huge Settlement in Massive Data Breach, But Will It Help?
- Medical Privacy: the Final Final Rule
© The Regents of the University of California, 2015. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited.