What is PCI Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is designed to be a baseline minimum standard for credit card security. To achieve PCI compliance, an online retailer must meet all PCI DSS requirements.
Do I need to be PCI-DSS Compliant?
If you accept credit card payments, then yes. Your site needs to be PCI-DSS compliant. However, if you do not process or store credit card information on your web server, then the PCI Validation and Standards Requirements do not apply to you. The service provider with whom your customers’ cards are processed is solely responsible for meeting the requirements. Such providers include PayPal (Payments Standard only), Mijireh, and Cart66 Cloud. If you use any of these providers, you are automatically PCI Compliant.
PCI Validation Requirements
The first step is to determine your validation level as defined by the credit card brand:
At the very least, you will be required to:
- Complete a Self-Assessment Questionnaire (“SAQ”)
- Submit an Attestation of Compliance (“AOC”) Form
- Conduct a quarterly network scan by an Approved Scan Vendor (“ASV”)
PCI Standards Requirements
To comply with the Standards, you must carry out these requirements:
|Build and Maintain a Secure Network|
|Requirement 1:||Install and maintain a firewall configuration to protect cardholder data.|
|Requirement 2:||Do not use vendor-supplied defaults for system passwords and other security parameters.|
|Protect Cardholder Data|
|Requirement 3:||Protect stored cardholder data.|
|Requirement 4:||Encrypt transmission of cardholder data across open, public networks.|
|Maintain a Vulnerability Management Program|
|Requirement 5:||Use and regularly update anti-virus software.|
|Requirement 6:||Develop and maintain secure systems and applications.|
|Implement Strong Access Control Measures|
|Requirement 7:||Restrict access to cardholder data by business need-to-know.|
|Requirement 8:||Assign a unique ID to each person with computer access.|
|Requirement 9:||Restrict physical access to cardholder data.|
|Regularly Monitor and Test Networks|
|Requirement 10:||Track and monitor all access to network resources and cardholder data.|
|Requirement 11:||Regularly test security systems and processes.|
|Maintain an Information Security Policy|
|Requirement 12:||Maintain a policy that addresses information security.|
Install and maintain a firewall configuration to protect cardholder data.
A firewall is a software and/or hardware system or combination of systems that secures a network, protecting it from access by unauthorized users from inside or outside the network.
In addition, small business computers that interact with credit card data must also have a third party firewall installed. The Windows Firewall is not adequate. Contact third party vendors such as Zone Alarm, Norton Utilities, or McAfee.
Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect stored cardholder data.
Keep cardholder data storage to a minimum. The cardholder’s credit card number, name, and expiration can be stored. The full magnetic data and security code (CVV2) CANNOT. You MUST keep any paper containing credit card information locked up.
Encrypt transmission of cardholder data across open, public networks.
You must use strong cryptography and security protocols such as Secure Sockets Layer (SSL)/Transport Layer Security (TLS) and Internet Protocol Security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks such as the Internet or wireless network.
Under no circumstances should credit card information be sent via email.
Use and regularly update anti-virus software or programs.
In addition to maintaining current releases of anti-virus software, implement sound email policies against opening spam mail or unknown attachments, which can conceal malicious code.
Develop and maintain secure systems and applications.
One of the sub-points of this PCI requirement mandates that merchants keep their networks and systems current by installing all vendor security patches as they are released from software and hardware vendors.
Microsoft routinely sends out security updates electronically, indicated by an icon in the system tray. All updates must be installed immediately.
Restrict access to cardholder data by business need-to-know.
Merchants must limit access to cardholder data to only those individuals whose job requires such access.
Assign a unique ID to each person with computer access.
This requirement mandates that every user with access to your network be known and authorized with a unique user name and password or other authenticating ID such as an electronic thumbprint.
Restrict physical access to cardholder data.
Cameras should be installed to monitor sensitive areas, with audits to correlate with other entries. For example, employee X used a card key to enter the data center. Camera data verifies that only employee X entered at that time.
If you operate a non-retail business, visitors need to be checked in and out of the building in a log book which will be kept for at least three months, unless restricted by law. They must be provided with a badge or wearable temporary access card that makes them easily distinguishable to all personnel.
Strict control are required on the storage of paper and electronic media, computers, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes that contain cardholder data.
Track and monitor all access to network resources and cardholder data.
Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis if something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.
Tracking logs should be able to piece together every single action taken by anyone on the network and be saved for at least one year.
Regularly test security systems and processes.
Maintain a policy that addresses information security.