Payment card industry (PCI) compliance is a set of policies and procedures used to protect credit and debit card transactions and prevent cardholders’ personal information from being stolen. It is developed and managed by the Payment Card Industry Security Standards Council (PCI SSC). Payment card industry compliance applies to any size company that accepts credit card payments.
If a company accepts credit card payments, it must securely host data with a PCI compliant hosting provider.
There and 6 goals and 12 requirements for payment card industry compliance:
PCI SSC Goal 1: Create and maintain a secure network where transactions can be conducted
1. Maintain a robust firewall to protect credit card data.
2. Customers do not use default PINs and passwords. Customers must be able to frequently and conveniently change this data.
PCI SSC Goal 2: Protect cardholder data
3. Repositories with private personal information–such as social security numbers, birthdays, phone numbers, and emails addresses—must be secure.
4. Cardholder data must be encrypted when transmitted across public networks.
PCI SSC Goal 3: Maintain a rigorous vulnerability management program
5. Frequently updates all anti-malware, anti-spyware, and anti-virus software to ensure the high-quality vulnerability management must be implemented.
6. Companies must develop and maintain secure systems and applications.
PCI SSC Goal 4: Restrict and control access to system information and operations
7. Cardholders should only give businesses information if the business must have that information to carry out a transaction.
8. Each person with access to a system should have a unique ID and password.
9. Card holder data should be protected both physically and electronically.
PCI SSC Goal 5: Constantly monitor and frequently test networks
10. Access to cardholder data and network resources must be tracked and monitored.
11. Security systems and processes must be tested regularly.
PCI SSC Goal 6: Maintain and follow a formal information security policy
12. Audits and penalties for non-compliance must be enforced.
Learn more about changes in payment card industry compliance that will affect your application security program.
Learn more about web application security, PCI DSS 3.0, and PCI DSS 3.1.