Cardholder Data Security Requirements
PCI is a result of collaboration between VISA® andMasterCard®to create common industry security requirements. Other card companies operating in the U.S. have also endorsed the Standard within their respective programs.
The PCI Requirements
- Install and maintain a working firewall to protect data
- Keep security patches up-to-date
- Protect stored data
- Encrypt data sent across public networks
- Use and regularly update anti-virus software
- Restrict access by "need to know"
- Assign unique ID to each person with computer access
- Don't use vendor-supplied defaults for passwords and security parameters
- Track all access to data by unique ID
- Regularly test security systems and processes
- Implement and maintain an information security policy
- Restrict physical access to data
How PCI Works:
Merchants are responsible for using service providers that are PCI-compliant. VISA® orMasterCard®may impose a fine on non-compliant merchants and in severe cases bar the merchant from accepting VISA® orMasterCard®Credit Cards.
Merchants receive protection from fines in the event of a data compromise when their merchant service provider is found to be PCI-compliant at the time of the security breach. Merchants are, however, subject to fines—up to $500,000 per incident—if they are not PCI compliant at the time of the breach.
PCI Groups Defined
1 |
More than 6 million VISA® transactions processed annually |
Required |
2 |
500 thousand to 6 million VISA® transactions processed annually |
Required |
3 |
Less than 500 thousand VISA® transactions processed annually |
Required |
Validation Actions
1 |
Required
Annually |
|
Required
Quarterly |
2 |
|
Required
Annually |
Required
Quarterly |
3 |
|
Recommended
Annually |
Recommended
Annually |
|