The goal of the Payment Card Industry Data Security Standard (PCI DSS) is to protect cardholder's data. PCI DSS requirements apply to organizations where Cardholder's data and/or Sensitive Authentication data is stored, processed or transmitted.
Cardholder Data includes:
- Primary Account Number (PAN)
- Cardholder Name
- Expiration Date
- Service Code
Sensitive Authentication Data includes:
- Magnetic-stripe data or Chip data on Credit/Debit Card
For the organizations that have outsourced their payment processing operations or management of their Cardholder Data Environment (CDE), they are responsible for ensuring that the account data is protected by third party.
Below are some high-level PCI DSS requirements:
- Organization needs build and maintain a secure network systems. This includes installing and maintaining a firewall configuration to protect cardholder data.
- Vendor-supplied default credentials should not be used for system password and other security parameters.
- Protect stored Cardholder Data.
- Encrypt transmission of cardholder data across open, public networks
- Protect Systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
PCI DSS comprises a minimum set of requirements for protecting account data, and may be enhanced by additional controls and practices to further mitigate risks, as well as local, regional and sector laws and regulations. PCI DSS does not supersede local or regional laws, government regulations, or other legal requirements.