The PCI Data Security Standard (PCI DSS) is a combination of best practices and associated requirements covering security management, policies, procedures, network architecture, software design, and other protective measures. These requirements apply to all entities that store, process, and/or transmit cardholder data. The high-level requirements as detailed by the PCI Security Standards Council (PCI SSC) are as follows:
| Build and Maintain a Secure Network |
| Requirement 1: Install and maintain a firewall configuration to protect cardholder data |
| Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters |
| Protect Cardholder Data |
| Requirement 3: Protect stored cardholder data |
| Requirement 4: Encrypt transmission of cardholder data across open, public networks |
| Maintain a Vulnerability Management Program |
| Requirement 5: Use and regularly update anti-virus software |
| Requirement 6: Develop and maintain secure systems and applications |
| Implement Strong Access Control Measures |
| Requirement 7: Restrict access to cardholder data by business need-to-know |
| Requirement 8: Assign a unique ID to each person with computer access |
| Requirement 9: Restrict physical access to cardholder data |
| Regularly Monitor and Test Networks |
| Requirement 10: Track and monitor all access to network resources and cardholder data |
| Requirement 11: Regularly test security systems and processes |
| Maintain an Information Security Policy |
| Requirement 12: Maintain a policy that addresses information security |
Why PCI & PA-DSS Compliance Matters
Right now, credit card processors are contacting your customers requiring them to update to a PCI compliant environment or use a PA-DSS compliant application. This means that software companies who do not develop PA-DSS compliant solutions will soon be left behind their competitors who do, and will rapidly lose their reseller base.
Is Your Application Up to Standards?
If your solution is designed to capture, process, store, or transmit credit card data, you are obligated to comply with one or more of the payment card industry security standards.