PCI-DSS (Payment Card Industry Data Security Standards) is a set of
security standards designed to ensure that all companies that accept,
process, store or transmit credit card information maintain a secure
environment. The PCI-DSS standards were created by major credit card
companies such as Visa, MasterCard, American Express and Discover to
protect sensitive cardholder data and reduce the risk of credit card fraud.
The PCI-DSS standards include 12 requirements that are grouped into six
categories:
- Build and Maintain a Secure Network: This includes requirements
for firewalls, secure routers and other network devices. - Protect Cardholder Data: This includes requirements for protecting
sensitive cardholder data such as encryption, access controls and
data backup. - Maintain a Vulnerability Management Program: This includes
requirements for identifying and mitigating security vulnerabilities. - Implement Strong Access Control Measures: This includes
requirements for controlling access to cardholder data and
monitoring system activity. - Regularly Monitor and Test Networks: This includes requirements for
monitoring network activity and testing security controls. - Maintain an Information Security Policy: This includes requirements
for developing and maintaining a comprehensive security policy.
Organizations that handle credit card information must comply with the
PCI-DSS standards and must demonstrate compliance through regular
assessments by a Qualified Security Assessor (QSA) or Internal Security
Assessor (ISA). PCI DSS compliance is mandatory for any merchant who
accepts credit card payments and non-compliance can lead to hefty fines
and penalties. Additionally, non-compliance can also lead to loss of trust
from customers and business partners. Organizations are expected to
maintain the compliance on an ongoing basis.