12 Steps to becming PCI Compliant

12 Steps to becoming PCI Compliant


Wednesday, November 30, 2011 | Michael Green

The Payment Card Industry Data Security Standard (abbreviated to PCI DSS or commonly, just PCI) is a set of 12 requirements designed to secure and protect customer payment data. These 12 requirements of PCI DSS compliance can be quite daunting for any merchant. These are listed below:
 
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
 
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
 
Maintain a Vulnerability Management Programme
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

[ Want to learn more about PCI Compliance? Read 'An Introduction to becoming PCI DSS Compliant' White Paper, PDF ]
 
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
 
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
 
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
 
Each requirement is actually broken down further within the standard with more specific sub-requirements. As can be seen, achieving PCI compliance is a major undertaking for any organisation and is a board-level programme – not something that falls exclusively into the realm of the CIO, estates manager, customer service team or marketing specialists, all of whom have an interest. Your sales and marketing director will want to reassure customers and protect brand equity; your credit controller will want to reassure your bank that you are minimising risk; and your IT service delivery team will want to provide watertight continuous availability.
 
PCI encompasses physical security throughout the organisation (even down to ensuring that visitors wear identity badges) as well as many potential discrete processes and policies. That said, the compliance framework is chiefly aimed at preventing electronic fraud and breaches of data security and it naturally focuses heavily on technology.
 
 
  • Print
  • Send to a friend