Unlike some government regulations, the PCI Data Security Standard is praised for its clarity. Here are the 12 basic requirements.
- Install and maintain a firewall configuration to protect data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored data.
- Encrypt the transmission of cardholder data and sensitive information across public networks.
- Use and regularly update antivirus software.
- Develop and maintain secure systems and applications.
- Restrict access to data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
This was first published in June 2006