PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARD
The purpose of the Payment Card Industry (PCI) Data Security Standard is to help merchants, payment processors and service providers improve their data security measures in order to safeguard cardholder account and transaction information. The PCI Data Security standard has been created from the rationalisation of Visa’s AIS and CISP programmes and Mastercard’s Site Data Protection (SDP) programme. The PCI Data Security Standard is a worldwide standard for cardholder data protection across the payment industry.
OVERVIEW OF PCI DATA SECURITY STANDARD
The PCI Data Security Standard lists 12 requirements that companies must satisfy and demonstrate compliance with. These are described below and expanded in the PDF.:
- Install and maintain a firewall configuration to protect data
- Do not use vendor supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder and sensitive information across public networks
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to data on a business need-to-know basis
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for employees and contractors
Download / view the PCI Data Security Standard v1.1 September 2006 (PDF - 85K)
We strongly recommend that you implement systems and procedures to adhere to the PCI requirements. This will help you to protect your customers' information from the risk of fraud and increase your customer's confidence..
As well as protecting your customers, appropriate data security practices limit your exposure to risk and minimise the losses and operational expenses incurred from compromised cardholder account information. The financial and resource outlay to meet the PCI requirements is minimal compared with the costs associated with the reactive hiring of security and public relations specialists, or the loss of significant revenue and goodwill that can result from a security compromise.
The PCI Data Security standard gives you a framework to work to and will help you in implementing security processes within your organisation for the protection of all data not just that related to card transactions and cardholder data. In addition it will provide you with greater awareness of security measures and preventative options available.
For further information and formal programmes from Visa and Mastercard that give more detail on implementing and demonstrating conformance to the standards please see the following:
The Visa Account Information (AIS) Security Programme
The Mastercard Site Data Protection (SDP) Programme
If you are developing online shopping carts or any other web based programs that utilise customer details and online credit and debit card processing then you should also look at the following for help and advice regarding developing secure software.
The Open Web Application Security Project