How to Comply With the New Payment Card Industry Data Security Standards
What exactly are the requirements? Following are the 12 PCI standards:
1. Install and maintain a firewall configuration to protect data.
2. Don’t use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored credit card data.
4. Encrypt transmission of cardholder data and sensitive information across public networks.
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to data by “business need-to-know.”
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.
Each of these 12 requirements has several subcategories of compliance procedures. For example, to comply with requirement No. 3, you must not store sensitive authentication data (e.g., card-validation codes) after authorization has been given. You must mask customers’ full credit card numbers when they’re being displayed across your contact center (the last six or four digits can be displayed). And you must render cardholder data unreadable wherever it’s stored, including on your nightly backup tapes.
To retrieve the 12-page PDF that outlines in detail all of the new requirements, ask your acquiring bank, or visit www.visa.com and type into the search field: “Payment Card Industry Data Security Standards.” Or scroll to the bottom of this article, where we’ve posted links related to PCI.
What is the questionnaire I’m supposed to complete? If you’re a Level 2 or 3 merchant (see chart below left), your acquiring bank requires you to complete the 10-page PCI Self-Assessment Questionnaire. Level 4 merchants complete the questionnaire only if required to do so by their acquiring banks. The questionnaire is not required of Level 1 merchants.