Understanding PCI Compliance
The PCI Data Security Standard (PCI DSS) is a combination of best practices and associated requirements covering security management, policies, procedures, network architecture, software design, and other protective measures. These requirements apply to all entities that store, process, and/or transmit cardholder data.
The high-level requirements as detailed by the PCI Security Standards Council (PCI SSC) are as follows:
| Build and Maintain a Secure Network |
| Requirement 1: Install and maintain a firewall configuration to protect cardholder data |
| Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters |
| Protect Cardholder Data |
| Requirement 3: Protect stored cardholder data |
| Requirement 4: Encrypt transmission of cardholder data across open, public networks |
| Maintain a Vulnerability Management Program |
| Requirement 5: Use and regularly update anti-virus software |
| Requirement 6: Develop and maintain secure systems and applications |
| Implement Strong Access Control Measures |
| Requirement 7: Restrict access to cardholder data by business need-to-know |
| Requirement 8: Assign a unique ID to each person with computer access |
| Requirement 9: Restrict physical access to cardholder data |
| Regularly Monitor and Test Networks |
| Requirement 10: Track and monitor all access to network resources and cardholder data |
| Requirement 11: Regularly test security systems and processes |
| Maintain an Information Security Policy |
| Requirement 12: Maintain a policy that addresses information security for all personnel |
Depending on a business’s annual transaction volume, it will fall into one of two Service Provider Levels, which will determine the type of validation action required to achieve PCI compliance.
Larger entities may require an annual on-site assessment and corresponding Report on Compliance (ROC) from a Qualified Security Assessor (QSA), while smaller businesses may simply be required to submit an annual Self-Assessment Questionnaire (SAQ).
In either case, regular reports are required for PCI compliance.
What is PA-DSS?
To help software vendors and others develop secure payment applications, the Council maintains the Payment Application Data Security Standard (PA-DSS).
The PA-DSS is a set of security requirements that govern how payment applications must handle the capture, storage, processing and transmission of sensitive cardholder data as well as administrative, maintenance, and logging functions of the application.
The PA-DSS applies to application developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. Payment applications, when implemented according to the PA-DSS and when implemented in a PCI DSS compliant environment, should facilitate and support merchant PCI DSS compliance.
Why PCI Compliance Matters
If your solution is designed to capture, process, store, or transmit credit card data, you are obligated to comply with one or more of the payment card industry security standards.