The Payment Card Industry (PCI) Data Security Standard, designed to
create common industry security requirements, is the result of
collaboration between Visa, MasterCard and other credit card
companies. PCI applies to all members, merchants and service
providers that store, process or transmit cardholder data, whether
that data is received in a point of sale, phone, e-commerce or other
type of transaction. Additionally, the standard applies to all
“system components,” which PCI defines as “any network component,
server, or application included in, or connected to, the cardholder
data environment.” The date for meeting compliance was June 30,
2005.
PCI includes the following basic requirements:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Monitor and test networks regularly
- Maintain an information security policy
Merchants must validate their compliance by submitting the
required documentation; documentation must also be available upon
request. These requirements may differ slightly from one credit card
company to another, but the most comprehensive requirements include
three levels of validation:
1. Annual on-site security audit – includes reports on
compliance
2. Annual self-assessment questionnaire – addresses any
system(s) or component(s) involved in processing, storing or
transmitting cardholder data
3. Quarterly network security scan – an automated tool that
checks systems for vulnerabilities
