Understanding Card Data Security Requirements

The Payment Card Industry Data Security Standards (PCI DSS) were created by the Payment Card Industry Security Standards Council (originally formed by Visa, MasterCard, Discover and American Express and to establish basic security standards for credit card processing.

By following these standards, you help protect your customers' sensitive card data while safeguarding your business. PCI DSS compliance can help you avoid legal issues resulting from security breaches, as well as fines imposed by the credit card companies for noncompliance.

You can start by following these basic PCI DSS data security requirements:

Network Security

  • Install and maintain a secure network firewall to protect cardholder data across public networks.
  • Do not use vendor-supplied defaults for system passwords and other security parameters.

Cardholder Data

  • Protect stored cardholder data, and encrypt transmission of cardholder data across open, public networks.
  • Do not store or retain magnetic stripe data, PIN data or Address Verification System (AVS) data. Only the cardholder account number, name and expiration date should be retained after transaction authorization.
  • Do not store or retain Card Validation Codes, the three-digit values printed in the signature panel of most cards (four-digit code printed on the front of an American Express card) after transaction authorization.
  • Do not transmit cardholder account numbers to cardholders for Internet transactions.

Vulnerability

  • Use and regularly update anti-virus software on all systems commonly affected by malware and keep security patches up to date.

Access

  • Restrict access to cardholder data in your business on a "need-to-know" basis.
  • Assign a unique ID to each person with computer access to cardholder data and use this ID to track access to the data.

Monitoring and Testing

  • Maintain a policy that addresses information security for employees and contractors.
  • Regularly test security systems and processes.

 

Next Steps:

  • Whether you are a small retail shop with a single terminal or a large business with thousands of payment card customers, you will need to validate that you are PCI DSS compliant.
    • 1. The first step is to complete a PCI DSS Self Assessment Questionnaire (SAQ). PNC Merchant Services is working with Trustwave to provide validation services at a preferred price. Register on their site to access all of Trustwave's online resources.
    • 2. If your business uses POS software instead of terminals to process card payments, you may need to answer an expanded questionnaire and participate in a PCI DSS Network Vulnerability Scan.