PCI DSS Principles and Requirements

The PCI DSS imposes requirements on merchants to safeguard consumers' credit card information from hackers and other identity thieves. The core requirements are as follows:

Build and Maintain a Secure Network

  • Install and maintain a firewall configuration to protect data
  • Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

  • Protect stored data
  • Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a Vulnerability Management Program

  • Use and regularly update anti-virus software
  • Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  • Restrict access to data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder information

Regularly Monitor and Test Networks

  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes

Maintain an Information Security Policy

  • Maintain a policy that addresses information security

At a high level, these requirements appear straightforward. Note, however, that these 12 Payment Card Industry Data Security (PCI DSS) requirements include over 200 detailed tasks that need to be met.

The payment card industry is now enforcing PCI compliance. Non-compliance can result in fines, restrictions or possibly permanent expulsion from card acceptance programs. If your business depends on accepting credit cards, then you have no choice than to become PCI compliant. Rapid7 makes it easy by providing the necessary components in one easy to use web based service.