What is an PCI DSS Compliance and how to get the compliance?
The full form of PCI DSS is Payment Card Industry Data Security Standard. It refers to information security standards that ensure all sellers safely and securely accept, store, process, and transmit
cardholder data (customers’ credit or debit card information) during a credit or debit card transaction.
It is very essential for customers to know your website is secured as sensitive data like credit or debit card information will be transferred for payment option. The purpose of PCI-DSS is to reduce the risk of loss of credit or debit card’s data and secure the online transaction payment.
The PCI DSS has outlined 12 requirements for handling cardholder data and maintaining a secure network.
1. A firewall configuration must be installed and maintained:-
All systems must be protected from unauthorized access from untrusted networks – regardless of the method of entry. This helps in scanning all network traffic thereby protecting cardholder data.
2. Vendor supplied defaults should be changed.
It is critically important to change default passwords/settings provided by vendor and remove/disable unnecessary default accounts before introducing new systems into our environment. Hackers are aware of the default vendor settings/passwords which can cause compromise of data if the details are not changed.
SECURE CARDHOLDER DATA
3. Stored cardholder data must be protected:-
There are many methods to protect your client’s sensitive data: encryption, truncation, masking, and hashing.
4. Transmission of cardholder data across public networks must be encrypted.
Cardholder’s sensitive data and authentication information must be encrypted during transmission over public networks.
5. Anti-virus software must be used and regularly updated:-
Antivirus software must be installed and operating on all business systems to protect your client’s environments.
6. Secure systems and applications must be developed and maintained. Applications should be up-to-date and security vulnerabilities re-mediated through security patches.
7. Cardholder data access must be restricted to a business need-to-know basis.
Access is granted only at minimum level and only if needed in order to perform a job responsibility.
8. Every person with computer access must be assigned a unique ID.
Each person need a unique ID who access the sensitive data.
9. Physical access to cardholder data must be restricted.
NETWORK MONITORING AND TESTING
10. Access to cardholder data and network resources must be tracked and monitored- For preventing, detecting or minimizing a data breach.
11. Security systems and processes must be regularly tested
12. Information security policy must be maintained for all person.
If all the above standards are met, PCI compliance can be achieved.
March 29, 2020
March 20, 2020
September 2, 2019