The PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data. The PCI SSC sets the PCI security standards, but each payment card brand has its own program for compliance, validation levels and enforcement
Build and Maintain a Secure Network
#1 – Install and maintain firewall and router configuration standards that formalize testing whenever configurations change, and restrict all traffic from “untrusted” networks and hosts, except for protocols necessary for the cardholder data environment. Identify all connections to cardholder data and review of configuration rule sets at least every six months.
#2 – Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
#3 – Protect stored cardholder data
#4 – Use strong cryptography and security protocols such as SSL/TLS, SSH or IPSec to safeguard sensitive cardholder data during transmission over open, public networks
Maintain a Vulnerability Management Program
#5 – Install and regularly update anti-virus software or programs. Then check that all anti-virus #6 – mechanisms are current, actively running, and generating audit logs.
Implement Strong Access Control Measures
#7 – Assign all users a unique user name before allowing them to access system components or cardholder data.
#8 – Limit access to system components and cardholder data to only those individuals whose job requires such access and restrict physical access to cardholder data.
Regularly Monitor and Test Networks
#9 – Track and monitor all access to network resources and cardholder data
#10 – Regularly test security systems and processes
Maintain an Information Security Policy
#11 – Maintain a policy that addresses information security for all personnel