Payment Card Industry
The payment card industry data security standard (PCI-DSS) is a set of regulations formed by major payment card brands including VISA, MasterCard, AmEx, and Discover. There are 12 general security requirements, and sub-requirements, that every merchant that obtains payment card information is required to follow.
There are 4 levels of compliance: The level your company must comply with depends on the number of transactions per year that your business processes.
Do I have to comply with PCI-DSS?
Select a payment provider that handles payments securely and complies with level 1 PCI-DSS standards. If you handle the same payment types and transmit/store any data, you should should consider complying with the appropriate level of PCI-DSS standards.
Who Is Exempt?
Organizations that employ less than 10 people, produced less than $5 million in gross annual revenue from New York operations in each of the past three years, or hold less than $10 million in year-end total assets are exempt from certain requirements of the Regulation.
What if I don’t meet PCI compliance?
Non-compliance can lead to serious security events that could cost your organization valuable client data, and have serious financial implications (both fines and loss of revenue). To avoid the risk of data breaches that could highly damage your brand. It is within the best interests of your company to comply with these regulations.
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or program
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel