Business Law Checklists Legal Topics

Checklist for Businesses that Handle Credit/Debit Cards

163741759If your business client accepts credit or debit card payments, it’s subject to the Payment Card Industry Data Security Standards (PCI DSS), which consists of a set of industry tools and measurements to assist in the safe handling of sensitive information. Complying with PCI DSS requirements can be very complicated. To make it a bit easier, here’s a checklist that breaks down the twelve general requirements.

___ Build and maintain a secure network:

__ Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

__ Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

___ Protect cardholder data:

__ Requirement 3: Protect stored cardholder data.

__ Requirement 4: Encrypt transmission of cardholder data across open, public networks.

___ Maintain a vulnerability management program:

__ Requirement 5: Use and regularly update anti-virus software.

__ Requirement 6: Develop and maintain secure systems and applications.

___ Implement strong access control measures:

__ Requirement 7: Restrict access to cardholder data by business need-to-know.

__ Requirement 8: Assign a unique ID to each person with computer access.

__ Requirement 9: Restrict physical access to cardholder data.

___ Regularly monitor and test networks:

__ Requirement 10: Track and monitor all access to network resources and cardholder data.

__ Requirement 11: Regularly test security systems and processes.

___ Maintain an information security policy:

__ Requirement 12: Maintain a policy that addresses information security for employees and contractors.

To be compliant with the PCI DSS, a business must satisfy all of these general requirements. To assist in compliance, the PCI Security Standards Counsel has released a set of risk assessment guidelines (PDF). The PCI Security Standards Counsel has also promulgated security guidelines for mobile software developers and manufacturers (PDF), as well as guidance for secure mobile payment acceptance by merchants (PDF).

For more on financial data privacy requirements, turn to CEB’s Privacy Compliance and Litigation in California, chap 6.

Other CEBblog™ posts you may find interesting:

© The Regents of the University of California, 2015. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited.

One reply on “Checklist for Businesses that Handle Credit/Debit Cards”

Leave a Reply to Business Plan Basics | CEBblog™ Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s