PCI Compliance

The PCI DSS (Payment Card Industry Data Security Standard) must be met by all organizations (merchants and service providers) that transmit, process or store payment card data. The PCI DSS is not a law, it is a contractual obligation applied and enforced - by means of fines or other restrictions - directly by the payment providers themselves.

With experience achieving PCI DSS compliance for a number of clients we can assist your business with achieving the latest standards.

The Rules for PCI Compliance

There are six main categories within the standards established by the PCI Security Standards Council which are as follows:

1. Build and maintain a secure network
2. Protect cardholder data
3. Maintain a vulnerability management program
4. Implement strong access control measures
5. Regularly monitor and test networks
6. Maintain an information security policy

Within these six categories are 12 requirements that are directly related to web application security:

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security

Each of the above requirements is broken down into a number of sub sections that provide further detail on each process. The full detail can be viewed at www.pcicomplianceguide.org.