Home » Hot Buttons » Credit Card Requirements — What is PCI DSS?

Credit Card Requirements — What is PCI DSS?

As identity theft and fraud increases at an alarming rate, the payment card industry has reacted by creating its own set of compliance standards for merchants. If your organization accepts credit cards, then you and your processor each have to meet certain requirements to safeguard cardholder data. Failure to attest to meeting these standards may result in hefty fines and the loss of the ability to accept credit cards.

Payment Card Industry Data Security Standards (PCI DSS) were developed by the Payment Card Industry Security Standards Council (American Express, Discover, JCB International, MasterCard Worldwide, and VISA Inc.) as a uniform set of information security requirements for all national card brands. Any merchant that accepts credit cards for retail, mail orders, telephone orders, or e-commerce must meet twelve security requirements. Failure to comply may result in audits by PCI DSS Qualified Security Assessors and fines levied by the card brands. Below is an overview of the twelve requirements. Requirements in blue cannot be accomplished without training and assessment.

  1. Install and maintain a firewall.
  2. Do not use vendor security defaults.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data.
  5. Use anti-virus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data.
  8. Cardholders with computer access must have a unique ID.
  9. Physical access to cardholder data must be restricted.
  10. Access to networks and cardholder data must be tracked and monitored.
  11. Regularly test all systems and processes.
  12. Maintain an Identity Theft Prevention Program that addresses employees and contractors.

NOTE: These twelve requirements may involve over 280 additional steps.

Please consult your credit card processor to find out if their systems are compliant. Then check to make sure that your organization is compliant. It is critical to understand that your processor cannot make you compliant even if they have met their processor requirements. More information about PCI DSS requirements can be found on the Payment Card Industry Data Security Council's website at www.pcisecuritystandards.org.

“A defensible position for credit card liability must be derived from assessing risks in your privacy, security, usage, and notification practices, and using this knowledge as a basis for your Identity theft Prevention Program.”

A Medium to Large Organization A Small Business
Share on Social Media:
  • Print
  • Facebook
  • Twitter
  • LinkedIn

  • From Your Peers:

    • To say the least, we were astounded by the approach they used to perform the assessment and the training and the effectiveness of it . . . IDTLP has a structured approach that turned out to be very effective and efficient . . . The project changed our culture.

      Bonnie, Controller Higher Education

    • The Illinois Quad City Chamber of Commerce is acutely aware of our member businesses' belief that they are doing "everything they can" to protect information, when in fact they are not.  We see it everyday... entire credit card numbers printed on "merchant copy" receipts; television media stories finding complete medical history forms in the trash where an inexperienced data entry person tossed them (without shredding first)... and the list goes on.

      Your members will appreciate your effort to bring this issue to their attention, and a large percentage (if not all) will be able to identify one or more areas in which their business needs to adjust their operating procedures to be in compliance.  We have had nothing but positive response from our members who attended Identity Theft Loss Prevention, LLC presentations, and look forward to bringing this in front of additional members in the future."

      Sue Martel, Director of Business Services and Operations Illinois Quad City Chamber of Commerce