About the Payment Card Industry Data Security Standard
12 key requirements for protecting cardholder data
While these minimum data management standards are mandatory and required of all card accepting merchant locations, simply fulfilling these requirements WILL NOT fully protect you from all fines and losses resulting from theft or loss of cardholder data (data breach). However, it is required that all businesses be able to provide evidence of their compliance with these twelve basic safeguards.
1. Firewall rules
PCI standards require that all systems coming in contact with cardholder data be protected by firewalls if those systems support e-commerce or some other use of the Internet such as e-mail.
2. Change system passwords from vendor-supplied defaults.
These passwords and settings are well-known in "hacker” communities. They need to be changed before you connect to your network.
3. If you store it, protect it.
Unless it’s absolutely necessary to retain cardholder data, don’t! And if you do, make sure controls are in place which will minimize the risk of cardholder information getting into the wrong hands.
4. Encrypt all numbers in transit.
When sending sensitive data (like card numbers) across public networks, encryption is a must. That goes for e-mail too. Unencrypted account numbers should never be sent by e-mail.
5. Use anti-virus software.
As anyone with an active e-mail account can attest, malicious viruses and other attacks can slip through firewalls and end up in your electronic in-basket. Not only do you need anti-virus software, but you must also update it regularly.
6. Keep up with security patches.
PCI standards require all systems that might come into contact with payment card data to have up-to-date software patches as long as they don't adversely affect existing security configurations. In-house developers need to be aware of and take PCI into consideration when creating patches for any of those systems.
7. Keep data away from wandering eyes.
There's very little need for most personnel to see critical cardholder data. For any computing resources using that data, limit access to people whose jobs require access. Systems with multiple users may require special mechanisms that partition access on a need-to-know basis.
8. Require and assign unique user ID's.
Unique ID’s ensure that you have a way to know who touches what data and when.
9. Keep a tight lock on card data
Physical access to cardholder data or the systems that house that data must be monitored and restricted. This includes any paper or electronic media containing cardholder data.
10. Keep tabs on everything and everyone.
Be aware and keep track of anyone who uses your systems or terminals.
11. Test all security regularly.
Systems and controls should be tested at least quarterly and following any upgrades or modifications by vendors qualified in PCI compliance.
12. Make security job one.
Every organization, large or small, needs a strong security policy in writing. "It sets the security tone for the entire company and informs employees on what is expected of them," states the PCI Security Standards Council.
The requirements for evidencing full compliance is determined by the category that your business falls into (outlined on chart below):
Note: Most of our customers will fall into the Level 3 and Level 4 categories
|Merchant Definition||Criteria||Onsite Review||Self-Assessment Questionnaire||Network IP Scan|
|Level 1||Merchants processing over 6 million transactions annually (all payment types) or global merchants identified as Level 1||Required Annually||Not Required||Required Quarterly|
|Level 2||Merchants processing 1 million to 6 million transactions annually (all payment types)||Not required||Required Annually||Required Quarterly|
|Level 3||Merchants processing 20,000 to 1 million (any payment type) e-commerce transactions annually||Not Required||Required Annually||Required Quarterly|
|Level 4||Merchants processing less than 20,000 (any payment type) e-commerce transactions annually and all other merchants processing up to 1 million (any channel) transactions annually||Not Required||Required Annually||Required Quarterly If Applicable|
1 For Level 1 merchants, the annual onsite review may be conducted by either the merchant’s internal auditor or a Qualified Security Assessor (QSA).
2 To fulfill the network scanning requirement, all merchants must conduct scans on a quarterly basis using an Approved Scanning Vendor (ASV).
The Visa, Inc. Card Information Security Program (CISP) Web site categorizes merchants in one of the four merchant levels based on Visa transaction volume (not dollar volume) over a 12-month period. MasterCard's Site Data Protection Program (SDP) mirrors Visa's CISP requirements.
The merchant's transaction volume is based on the aggregate number of Visa (or MasterCard) transactions. These include credit cards, debit cards and prepaid cards.
For merchants and/or merchant corporations who operate more than one DBA (Doing Business As), the aggregate volume of stored, processed or transmitted transactions by the corporate entity must be considered to determine the validation level and requirements associated.
If the corporate entity does not store, process or transmit cardholder data on behalf of the multiple DBAs, the DBA's individual transaction volume will be used to determine the validation level.