The PCI SSC has outlined 12 requirements for handling cardholder data and maintaining a secure network. Distributed between six broader goals, all are necessary for an enterprise to become compliant.
Secure network
- A firewall configuration must be installed and maintained
- System passwords must be original (not vendor-supplied)
Secure cardholder data
- Stored cardholder data must be protected
- Transmissions of cardholder data across public networks must be encrypted
Vulnerability management
- Anti-virus software must be used and regularly updated
- Secure systems and applications must be developed and maintained
Access control
- Cardholder data access must be restricted to a business need-to-know basis
- Every person with computer access must be assigned a unique ID
- Physical access to cardholder data must be restricted
Network monitoring and testing
- Access to cardholder data and network resources must be tracked and monitored
- Security systems and processes must be regularly tested
Information security
- A policy dealing with information security must be maintained