Payment Card Industry – Data Security Standards

The 12 Security Required Controls* apply to all system components that are included in or connected to the payment card data environment:

Build and Maintain a Secure Network and Systems

Install and maintain firewall configuration to protect credit card data
Do not use vendor defaults for system passwords and other security parameters

Protect Cardholder Data
Protect stored Credit Card Data
Encrypt transmission of credit card data across open networks (public)

Maintain a Vulnerability Management Plan
Protect all systems against malware and regularly update anti-virus software/programs
Develop and maintain secure systems and applications

Implement Strong Access Control Measures
Restrict access to Cardholder Data by business need to know
Identify and authenticate access to system components

Regularly Monitor and Test Network
Track and monitor all access to network resources and cardholder data
Restrict physical access
Regularly test security systems and processes

Maintain an Information Security Policy

Maintain a policy that addresses information security for all personnel

*For full accounting of definitions and inclusive information defer to page 5 of Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2 April 2016: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf?agreement=true&time=1494110639364 accessed 2017)

Created by: Lisa Marie Waugh, MJ contact lisamariewaugh.com