Maintaining Payment Security
Payment security is paramount for every merchant, financial institution or other entity that stores, processes or transmits cardholder data.
The PCI Data Security Standards help protect the safety of that data. They set the operational and technical requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.
Maintaining payment security is serious business. It is vital that every entity responsible for the security of cardholder data diligently follows the PCI Data Security Standards.
PCI Security Standards
If you accept or process payment cards, the PCI Data Security Standards apply to you.
These standards cover technical and operational system components included in or connected to cardholder data.
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for employees and contractors
The PCI PIN Transaction Security Requirements (called PCI PTS) are focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities. Manufacturers must follow these requirements in the design, manufacture and transport of a device to the entity that implements it.
Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI Council.
Approved PIN DevicesThe Payment Application Data Security Standard is for software vendors and others who develop payment applications that store, process or transmit cardholder data and/or sensitive authentication data, for example as part of authorization or settlement when these applications are sold, distributed or licensed to third parties.
Most card brands encourage merchants to use payment applications that are tested and approved by the PCI Council.
Validated Payment ApplicationsA comprehensive set of security requirements for point-to-point encryption solution providers, this PCI standard helps those solution providers validate their work. Using an approved point-to-point encryption solution will help merchants to reduce the value of stolen cardholder data because it will be unreadable to an unauthorized party. Solutions based on this standard also may help reduce the scope of their cardholder data environment – and make compliance easier.
Point-to-Point Encryption is a cross-functional program that results in validated solutions incorporating many of our various security standards.
Validated SolutionsQuick Steps to Security
A model framework for security, the PCI Data Security Standard integrates best practices forged from the years of experience of security experts around the world.
The standard works for some of the world’s largest corporations. And it can work for you.
- Buy and use only approved PIN entry devices at your points-of-sale.
- Buy and use only validated payment software at your POS or website shopping cart.
- Do not store any sensitive cardholder data in computers or on paper.
- Use a firewall on your network and PCs.
- Make sure your wireless router is password-protected and uses encryption.
- Use strong passwords. Be sure to change default passwords on hardware and software – most are unsafe.
- Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
- Teach your employees about security and protecting cardholder data.
- Follow the PCI Data Security Standard.
