12 PCI requirements

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect data
   • Filter inbound data and restrict access to the network core to authorized individuals.
2. Do not use vendor-supplied defaults for system passwords and other security parameters
   • Use strong passwords, never use the Default password as it is publicly available in documentation
   
   Protect Cardholder Data  
3. Protect stored data with Encryption
   • Restrict access to stored data and dispose of it properly
4. Encrypt transmission of cardholder and sensitive information across public networks
   • Cardholder information must be protected as it crosses publicly accessible networks
   
   Maintain a Vulnerability Management Program  
5. Use and regularly update Anti-Virus software
   • Up to date Anti-Virus/Anti-Spyware
6. Develop and maintain secure systems and applications
   • Keep applications up to date and patched
   
   Implement Strong Access Control Measures  
7. Restrict access to data by business need-to-know
   • Prevent accidental exposure and decrease vulnerability/risk through limited distribution of data
8. Assign a unique ID to each person with computer access
   • Provides the ability to link transactions back to a specific source to establish individual accountability for actions.
9. Restrict physical access to cardholder data
   • All access to the cardholder environment must have adequate physical security controls to reduce the business risk of exposure.
   
   Regularly Monitor and Test Networks  
10. Track and monitor all access to network resources and cardholder data
    • Must ensure that logging is enabled on all devices within the cardholder environment, according to the data retention (legal, regulatory) needs of the organization
11. Regularly test security systems and processes
    • A periodic security assessment for all networked components within the cardholder environment must be conducted to identify and close information security gaps.
    
    Maintain an Information Security Policy  
12. Maintain a policy that addresses information security
    • Information security policies to address all business risks should be developed

Related Articles

• PCI Compliance - An Overview
• How do I become PCI Compliant?
• What are the requirements for PCI Compliance?
• What are the different PCI Compliant Merchant Levels?

Also See:
How do I become PCI Compliant?
What is DNS?
What is SSL?
The Basics of Server Security

There are no comments yet...Kick things off by filling out the form below.