PCI-DSS compliance

Payment Card Industry Data Security Standard (PCI DSS) compliance is adherence to the set of policies and procedures developed to protect credit, debit and cash card transactions and prevent the misuse of cardholders' personal information.

PCI DSS compliance is required by all card brands.

The Payment Card Industry Security Standards Council (PCI SSC) develops and manages the PCI standards and associated education and awareness efforts. The PCI SSC is an open global forum, with the five founding credit card companies -- American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. -- responsible for carrying out the organization's work.

Twelve PCI DSS requirements for compliance

There are 12 main requirements in six overarching goals for PCI DSS compliance. According to the PCI SSC, a vendor must complete the following tasks as part of its PCI compliance checklist:

Goal 1. Build and maintain a secure network.

1. Install and maintain a firewall configuration to protect card holder data (CHD).
2. Not use vendor-supplied defaults for system passwords and other security parameters.

Goal 2: Protect cardholder data.

3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.

Goal 3: Maintain a vulnerability management program.

5. Use and regularly update antivirus software.
6. Develop and maintain secure systems and applications.

Goal 4: Implement strong access control measures.

7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.

Goal 5: Regularly monitor and test networks.

10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.

Goal 6: Maintain an information security policy.

12. Maintain a policy that addresses information security.