What is PCI-DSS?
PCI-DSS (Payment Card Industry Data Security Standard) was created with the goal of unifying the methods of security management of credit card data within the PCI consortium made up of American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International.
Who must adhere?
The standard must be respected by every entity (stores, service providers, banks) involved in a credit card transaction that requires the transmission, use or memorization of the Primary Account Number (PAN) of the card. All commercial sectors are influenced.
What are the guidelines involved?
The PCI-DSS is composed of six families of requisites that encompass the various aspects of data, networks, systems and applications security at a physical, logical and organizational level:
1. Development and management of a secure network
- Install and maintain up-to-date a firewall for the protection of the cardholder’s data.
- Do not use passwords and other default parameters provided by the configuration producers of the security system.
2. Protection of the cardholder’s data
- Protect the cardholder’s data.
- Encrypt the cardholder’s data when it is transmitted via public network.
3. Maintain a program for the management of vulnerability
- Utilize and maintain up-to-date an antivirus.
- Develop and maintain applications and secure systems.
4. Implementation of access control measures
- Limit access to the cardholder’s data to necessary personnel.
- Assign a unique user ID to each user.
- Limit physical access to the cardholder’s data.
5. Execution of network tests and monitoring
- Trace and monitor each access to the network resources and to the cardholder’s data.
- Verify regularly the security of one’s systems and processes.
6. Maintain a security policy
- Define and maintain a policy regarding the security of information destined for both employees and third parties.