The Payment Card Industry Data Security Standard (PCI DSS)
The international card companies have set up some security standards that apply to all card payments. The standard deals with rules for the environment (payment terminal/ payment solutions/ systems/ network) where the merchants and their service provider/ processor handle and store card data.
As a merchant accepting payment cards, you are responsible for ensuring that everyone handling card data complies with the security PCI DSS consists of. The payment terminals and/or the payment solution must be certified, and PA DSS and PCI PED approved in order for the merchant to comply with the requirements. Read more about PA DSS and PCI PTS.
PCI DSS 12 requirement
PCI DSS describes the requirements that apply for all merchants transmitting, handling or storing card data. The standard applies for Visa, Mastercard, American Express, Diners, Discover, JCB and Dankort (in Denmark). PCI DSS security standard can be circumscribed to the 12 requirements below:
- You must secure that your company installs and maintains a firewall that protects your card data.
- You must not use standard settings for system passwords and other security parameters.
- Your must protect your card data.
- You must encrypt card data that are sent via open, public network.
- Use antivirus software and update it regularly.
- You must continuously develop and maintain security for your systems as well as applications.
- You must restrict access to cardholder data in relation to business needs so only as few as possible can access the data.
- Each user of your computer network must be assigned with a unique ID.
- As few as possible should have physical access to card data.
- Access to your network and card data must be monitored.
- You must regularly test your security systems and processes Maintain a security policy.
- You must maintain a strict security policy.