Maintaining Payment Security

Payment security is paramount for every merchant, financial institution or other entity that stores, processes or transmits cardholder data.

The PCI Data Security Standards help protect the safety of that data. They set the operational and technical requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.

Maintaining payment security is serious business. It is vital that every entity responsible for the security of cardholder data diligently follows the PCI Data Security Standards.

PCI Security Standards

PCI Data Security

Goals PCI DSS Requirements

Build and Maintain a Secure Network and Systems

1. Install and Maintain Network Security Controls
2. Apply Secure Configurations to All System Components

Protect Account Data

3. Protect Stored Account Data
4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks

Maintain a Vulnerability Management Program

5. Protect All Systems and Networks from Malicious Software
6. Develop and Maintain Secure Systems and Software

Implement Strong Access Control Measures

7. Restrict Access to System Components and Cardholder Data by Business Need to Know
8. Identify Users and Authenticate Access to System Components
9. Restrict Physical Access to Cardholder Data

Regularly Monitor and Test Networks

10. Log and Monitor All Access to System Components and Cardholder Data
11. Test Security of Systems and Networks Regularly

Maintain an Information Security Policy

12. Support Information Security with Organizational Policies and Programs

PTS Requirements

The PCI PIN Transaction Security Requirements (called PCI PTS) are focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities. Manufacturers must follow these requirements in the design, manufacture and transport of a device to the entity that implements it.

Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI Council.

Validated Payment Software

Validated Payment Software has been assessed by a Secure Software Assessor to confirm adherence to the PCI Secure Software Standard. The PCI Secure Software Standard outlines security requirements and assessment procedures to help ensure payment software adequately protects the integrity and confidentiality of payment transactions and data.

Point-to-Point Encryption

A comprehensive set of security requirements for point-to-point encryption solution providers, this PCI standard helps those solution providers validate their work. Using an approved point-to-point encryption solution will help merchants to reduce the value of stolen cardholder data because it will be unreadable to an unauthorized party. Solutions based on this standard also may help reduce the scope of their cardholder data environment – and make compliance easier.

Point-to-Point Encryption is a cross-functional program that results in validated solutions incorporating many of our various security standards.

Quick Steps to Security

A model framework for security, the PCI Data Security Standard integrates best practices forged from the years of experience of security experts around the world.

The standard works for some of the world’s largest corporations. And it can work for you.

  • Buy and use only approved PIN entry devices at your points-of-sale.
  • Buy and use only validated payment software at your POS or website shopping cart.
  • Do not store any sensitive cardholder data in computers or on paper.
  • Use a firewall on your network and PCs.
  • Make sure your wireless router is password-protected and uses encryption.
  • Use strong passwords. Be sure to change default passwords on hardware and software – most are unsafe.
  • Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
  • Teach your employees about security and protecting cardholder data.
  • Follow the PCI Data Security Standard.