PCI – DSS Rules and Regulations

The Service

Build and Maintain a Secure Network and Systems

Install and maintain a firewall configuration to protect cardholder data.

Do not use vendor-supplied defaults for system passwords and other security parameters.

Ensure that all system components and software are securely configured and regularly updated with security patches.

Protect Cardholder Data

Protect stored cardholder data by implementing strong encryption methods.

Mask cardholder data when displayed, and limit data retention to only what is necessary for business operations.

Implement controls to securely transmit cardholder data over public networks.

Maintain a Vulnerability Management Program

Use anti-virus software and regularly update malware definitions.

Develop and maintain secure systems and applications by implementing secure coding practices and conducting regular vulnerability scans and penetration tests.

Implement Strong Access Control Measures

Restrict access to cardholder data on a need-to-know basis and assign a unique ID to each person with computer access.

Limit physical access to cardholder data and implement access controls such as biometric authentication and video surveillance.

Regularly monitor and test access controls to ensure effectiveness.

Regularly Monitor and Test Networks

Monitor all access to network resources and cardholder data.

Implement automated intrusion detection and prevention systems to monitor network traffic for suspicious activity.

Conduct regular security testing, including vulnerability scans and penetration tests, to identify and address potential security weaknesses.

Maintain an Information Security Policy

Develop and maintain a comprehensive security policy that addresses all aspects of PCI DSS compliance.

Ensure that all employees and contractors are aware of their responsibilities for protecting cardholder data and complying with security policies.

Regularly review and update security policies to address changes in technology, business processes, and regulatory requirements.

Protecting Data in Transit

Use strong encryption protocols (such as SSL/TLS) when transmitting cardholder data over public networks.

Securely configure all wireless networks to prevent unauthorized access and ensure the confidentiality and integrity of transmitted data.

Secure Systems and Applications

Implement strong access controls and authentication mechanisms to restrict access to sensitive data and functions within applications.

Regularly update and patch systems and applications to address known vulnerabilities and protect against exploitation by malicious actors.

Implementing Incident Response Procedures

Develop and maintain an incident response plan that outlines procedures for detecting, reporting, and responding to security incidents.

Train employees on their roles and responsibilities during a security incident and conduct regular drills to test the effectiveness of the incident response plan.