PCI Requirements and Guidelines Overview

This is a summary overview of the various PCI related programs required for compliance per PCI Security Standards Council

PCI DSS

PCI DSS is built on a basis of principles and requirements helping secure data and protecting your environment. These requirements were developed by the initial founders, the Payment Brands including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. The standards are intended to offer a global foundation for security management, policies, procedures, network architecture, software design and other important security protocols to protect customer data.

Build and Maintain a Secure Network

1: Install and maintain firewall configurations protecting cardholder data
2: Don’t use default system passwords and other security parameters provided by the vendor

Protect Cardholder Data

3: Protect cardholder data stored
4: Transmission of cardholder data across open, public networks should be encrypted

Maintain a Vulnerability Management Program

5: Anti-virus software should be used, maintained and updated regularly
6: Maintain secure systems and applications

Implement Strong Access Control Measures

7:  Access to cardholder data should be restricted to a ‘as needed’ business need-to-know basis
8:  Unique IDs should be assigned to each person with computer access
9: Physical access to cardholder data should be restricted

Regularly Monitor and Test Networks

10: Access to network resources and cardholder data shold be tracked and monitored at all times
11: Test security systems and processes on a regular basis

Maintain an Information Security Policy

12: Establish and maintain policies addressing information security

PCI DSS Support documents:

• Supporting Documents PCI DSS V1.2
• View PCI DSS V1.2

PIN TRANSACTION SECURITY

PIN transaction security must comply with the requirements and guidelines specified in the following documents.

Payment Card Industry Resources

• Testing and Approval Program Guide (PDF)

Security Requirements

• Encrypting PIN Pad Devices v2.1 (PDF) (DOC)
• Point of Sale Devices v2.1 (PDF) (DOC)
• Hardware Security Module (HSM) v1.0 (PDF) (DOC)
• Unattended Payment Terminals (UPT) v1.0 (PDF) (DOC) 

Evaluation Vendor Questionnaires

• Encrypting PIN Pad Devices v2.1 (PDF) (DOC)
• Point of Sale Devices v2.1 (PDF) (DOC)
• Hardware Security Module (HSM) v1.0 (PDF) (DOC)
• Unattended Payment Terminals (UPT) v1.0 (PDF) (DOC) 

FAQs

• General Frequently Asked Questions (PDF)
• Technical Frequently Asked Questions 2.0 (PDF)

PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

PA-DSS is the Visa’s former program known as the Payment Application Best Practices (PABP). PA-DSS help’s software and other vendors develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data while ensuring complaint payment applications.

• Listing of PCI Security Standards Council Validated Payment Applications 
• PA-DSS V1.1 and Supporting Documents 
• PA-DSS V1.2 and Supporting Documents 

Please check the PCI Security Standards website for any updated documentation or changes to the program requirements

PAYMENT BRAND GUIDELINES

• Visa Guidelines
• MasterCard Guidelines 
• American Express 
• Discover Financial Services 

Jeremy Drzal 

512.234.3036