PCI DSS confirms that a company meets industry-specific payment processing requirements. The requirements were developed in 2005 by the Payment Card Industry Data Security Standards Council, established by global payment companies – Visa, MasterCard, American Express, and others. Certification has become mandatory since 2012 for organizations working with bank cards. With this document, the company makes it clear to market participants that the security of customer data is vital for it.
PCI DSS Requirements
A company that complies with PCI DSS must take personal information seriously.
It is expressed in six official statements:
- The corporate network must be reliably protected and the traffic must be filtered by firewalls. Areas where customer data is processed need to be broken down into isolated segments. Virtual machines must perform one server function. It is necessary so that several functions that require different degrees of protection are not performed on one computer. Such a scheme will make it difficult for potential fraudsters to access the entire system. Passwords on the network must be strong and non-standard.
- An important PCI DSS requirement is that information on the network must be securely encrypted using keys of at least 128 bits.
- Your organization needs to use up-to-date antivirus software. And the process of updating vulnerable software should be documented.
- Access to critical parts of the infrastructure – only through multi-factor authentication. Physical access to servers that store customer data should be limited to appropriate; politicians. And they must change after each personnel change.
- All operations in the infrastructure must be constantly logged. It is necessary to quickly find traces of burglaries. It is necessary to regularly test the infrastructure for vulnerabilities.
- The necessity of a described corporate information security policy. It is required to determine the general principles and procedures for accessing the personal data of users. It is also important to plan the steps to take if a breach is detected. All these documents need to be updated every year, following changes in the company.
Sign up for the newsletter
Keep up-to-date with all things payments
Thank you for subscribing to our newsletter