The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council. The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands of the organizations members.
There are 12 requirements for compliance organized into 6 logically related groups as follows.
Control Objectives & PCI DSS Requirements
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability Management Program
5. Use and regularly update anti-virus software on all systems commonly affected by malware.
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security.
Having and enforcing an “Imprinted Sales Slip or Printed Receipt Security Policy” governing the storage of imprinted cardholder data and limiting access to that data is an important control. It is also important that the policy contain a provision for the regular purging and secure disposal of this data after its period of usefulness for processing a sale or responding to a chargeback inquiry has passed.