The PCI Data Security Standard describes requirements for organizations dealing with payment transaction processing.
The standard consists of 12 requirements, each detailed with additional requirements, implementation guidance and testing guidance:
- Requirement 1 – Install and maintain a firewall configuration to protect cardholder data
- Requirement 2 – Do not use vendor-supplied defaults for system passwords and other security parameters
- Requirement 3 – Protect stored cardholder data
- Requirement 4 – Encrypt transmission of cardholder data across open, public networks
- Requirement 5 – Use and regularly update anti-virus software or programs
- Requirement 6 – Develop and maintain secure systems and applications
- Requirement 7 – Restrict access to cardholder data by business need to know
- Requirement 8 – Assign a unique ID to each person with computer access
- Requirement 9 – Restrict physical access to cardholder data
- Requirement 10 – Track and monitor all access to network resources and cardholder data
- Requirement 11 – Regularly test security systems and processes
- Requirement 12 – Maintain a policy that addresses information security for all personnel
PCI-DSS compliancy requires scanning by Approved Scanning Vendors.