What are the 12 requirements of PCI Compliance?
While PCI compliance used to be a pain in the butt for anyone that wasn’t an eCommerce-based business, things have changed. If you are running any kind of payment processing through your website, then you are required to become compliant with the Payment Card Industry Data Security Standard (PCI DSS).
There are 12 requirements that you need to follow, and they are as follows:
- Install/Maintain a Firewall
It’s important to have the most up-to-date firewall protecting your business from hackers. You can either hire someone or install it yourself, but you must have one.
- Do Not Use vendor-supplied defaults
It’s important to have a unique password for each of your logins. Do not use the same login and password for everything because this makes it easier for hackers to get into your account.
- Protect Stored Data
In order to stay compliant with PCI DSS, you must provide data encryption, strong access controls and monitoring mechanisms.
- Encrypt Cardholder Data
All credit card information that is stored must be encrypted in order to stay compliant with PCI DSS.
- Develop and Maintain secure systems and applications
This requirement states that all systems must be kept up-to-date and patched in a timely manner. Your systems and applications must also be free of vulnerabilities and exploits, and you need to make sure that they are tested regularly.
- Restrict access to data on a need-to-know basis
This requirement states that your business needs to control access to the data completely, which means no sharing login information with your co-workers. Access must be limited to just those who need it in order to do their jobs.
- Assign a unique ID to each person with computer access
This requirement ensures that there aren’t multiple people trying to login with the same username and password (which will eventually deplete your resources).
- Restrict physical access to cardholder data
This requirement ensures that your business is protecting itself from internal threats as well as external ones by not giving anyone unnecessary access to where the credit card information is being stored.
- Track and monitor all access to network resources and cardholder data
This requirement ensures that you are keeping track of exactly who is accessing the information, when they accessed it and from where they accessed it from.
- Regularly test security systems and processes
This requirement ensures that you are testing your company’s security policies on a regular basis to make sure that there aren’t any gaps in their protection, and that if there are, they can be fixed quickly.
- Maintain an information security policy
This requirement ensures that your business has a written policy in place which states exactly what the requirements are when it comes to protecting credit card information and other personal information, and how it is handled.
- A compliance program needs to be developed and maintained.
This requirement states that your business must have a written program that ensures that you are following all of the other requirements and can verify compliance on an ongoing basis (it is recommended to do this annually).
You will need someone who is trained in PCI Compliance to help you achieve it, but if your website processes over 6 million transactions per year, then you will need to become compliant yourself.
0