All U.S. merchants must comply with the requirements of the Payment Card Industry Data Security Standard (PCI DSS), which is designed to ensure keeping sensitive bank card information safe. In fact, all entities that store, process, or transmit cardholder information must be PCI compliant, although PCI DSS audits are only required for some merchant types.
The PCI DSS consists of twelve basic requirements, which I will review in this article.
12 Basic Requirements for Keeping Credit Card Data Safe
All financial organizations, merchants and service providers that handle payment card information must adhere to the PCI DSS twelve basic requirements, which are listed in the table below.
PCI Data Security Standard
|Build and Maintain a Secure Network||1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
|Protect Cardholder Data||3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
|Maintain a Vulnerability Management Program||5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
|Implement Strong Access Control Measures||7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
|Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
|Maintain an Information Security Policy||12. Maintain a policy that addresses information security.|
Additional Merchant Data Security Requirements
All merchants that store, process or transmit bank card information are required to:
- Keep all storage devices containing card account numbers — whether on paper or electronically — in a secure area accessible only to selected personnel. When handling paper receipts, merchants should take great care during the storage or transfer of this information. Merchants should at all times:
- Provide the drafts to their processor.
- Destroy all copies of the drafts that are not delivered to the processor.
- Make all card data unreadable, both in storage and before discarding.
- Never store full-track, magnetic-stripe, CVV2, and chip data after receiving the transaction authorization response. Merchants can retain the cardholder name, account number and expiration date, but storage of all other data is strictly prohibited.
- Use payment applications that are compliant with the PCI Payment Application Data Security Standard (PA-DSS). A list of validated payment applications you can find at www.pcissc.org.
- Know your liability. Your merchant agreement may contain provisions that hold your business liable for losses resulting from compromised card data if your organization (or your third party processor, if applicable) lacks adequate data security. Make sure that you read the agreement carefully and understand your liabilities.
The PCI DSS is a work in progress and your processor will periodically be sending you updates on the latest changes to the standard. Do not ignore these communications, but adjust your data security procedures accordingly to ensure compliance, even if it seems to you that what you are asked to do is unnecessary or unreasonable. There is usually a good reason behind these changes and anyway, compliance is mandatory.
Image credit: Caasco.com.