PCI DSS Requirements
PCI DSS Requirements: A Refresher
It is imperative for any business that handles cardholder data to comply with the Payment Card Industry Data Security Standard (PCI DSS). What does it mean to maintain PCI compliance? Let’s take a look at the 12 steps of PCI DSS Compliance.
PCI DSS Requirements
In general, businesses (whether small or large) need to implement 12 basic guidelines in six categories in order to achieve PCI compliance. The twelve PCI DSS requirements catalog best practices that businesses should follow when handling customers’ payment cards or payment card information.
Create a Secure Network
Requirement 1: Install and maintain a secure firewall to protect cardholder data.
Requirement 2: Update system passwords regularly and replace vendor defaults. (Password1234 is not a secure password :-)!)
Keep Cardholder Data Safe
Requirement 3: Protect stored cardholder data securely.
Requirement 4: Encrypt transmission of stored cardholder data.
Maintain a Vulnerability Management Program
Requirement 5: Implement anti-malware measures and regularly update antivirus software.
Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign unique credentials to each person with computer access.
Requirement 9: Restrict physical access to sensitive data.
Regularly Monitor and Test All Systems
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly perform penetration tests for security vulnerabilities.
Maintain an Up-to-Date Information Security Policy
Requirement 12: Maintain a policy that addresses information security.
How can you ease your PCI Compliance responsibilities? Use scope-reducing technologies such as point-to-point encryption (p2pe) and tokenization.
Point-to-point encryption protects sensitive data from the instant it registers – whether via card swipe or user input – until the payment is completed. Because sensitive cardholder data never touches your physical computer, the application (or website) is considered out of scope of PCI DSS.
Tokenization allows for processing recurring payments without storing sensitive consumer data anywhere in your system. Instead of cardholder information, merchants only deal with encrypted tokens that hold no value to hackers.
Partner With Professionals
Using a PCI compliant payment provider reduces or virtually eliminates most PCI compliance requirements for your business. Using a stringent PCI DSS compliance provider means you can focus on what you do best: managing your business. For more information click here to view our whitepapers on PCI compliance for software providers or PCI compliance for merchants.
Ready to see our API or open a test account? Looking for more information on our Partner Programs? Are you a merchant with a question? We are here to help!