All major credit card companies require businesses that process, store, or transmit credit card data to comply with the Payment Card Industry Data Security Standards (PCI-DSS). The PCI Security Standards Council sets the requirements that the stakeholders from all major corporations such as Visa, Mastercard, and Discover represent. The organization provides an actionable framework in the PCI-DSS. It created a comprehensive credit data security process that includes data theft detection, prevention, and steps that users should take if they become a theft victim.

PCI DSS Requirements

Secure Networks – PCI-DSS’s first and second requirements cover network maintenance and architecture for company resources. The first requirement outlines recommended firewall architecture and requires that a network diagram depicting the location of critical system components and information flow is created. The second requirement covers network configuration and how to change default options before installing new software or hardware on a network.

Data Protection – The third and fourth requirements are two of the most important in the PCI-DSS as they cover the required encryption standards for cardholder data and encryption key maintenance (requirement 3). The fourth requirement covers transmitted data encryption over channels such as IPSEC or SSL.

Vulnerability Management Program Maintenance – The fifth requirement ensures that all network systems and sub-systems that use credit card data in any way are running current anti-virus software. The sixth requirement covers credit card management systems and software development life cycles.

Access Control Measures – The seventh, eighth, and ninth requirements cover the control of physical and logical access to customer data and the network. The seventh requirement covers limitations on cardholder data based on the employee’s function, the eighth covers logical access control, and the ninth, physical access to data.

Network Monitoring and Testing – The tenth requirement focuses on a company implementing audit trails for various events that are associated with credit card data storage systems and networks. The eleventh requirement covers system testing. This includes intrusion detection systems (IDS) use and running network vulnerability scans periodically.

Information Security Policy – The 12th and final requirement deals with the creation of a PCI-DSS security policy that addresses all PCI-DSS elements and the documentation of a company’s Incident Response Plan. This requirement makes a company implement a security awareness program that creates security training requirements for all company employees.