The Payment Card Industry (PCI) Data Security Standard is a standard that was developed by credit card payment networks to help ensure that merchants adequately protect cardholder data. The PCI Data Security Standard delineates 12 major requirements, divided into six control objectives. For large merchants, auditors must regularly monitor companies for compliance.
Summary of PCI
Build and Maintain a Secure Network
The first objective addresses the company's computer network. It states that the company must maintain a firewall and always change vendor-supplied passwords.
Protect Cardholder Data Files
This objective is concerned with the safety of customer data files. It states that merchants must take steps to protect cardholder data, including the encryption of data that is transmitted over public networks.
Maintain a Vulnerability Management Program
Under this objective, companies must take steps to address potential weaknesses in their security systems. Each company must maintain updated virus protection software and strive to develop secure applications.
Implement Strong Access Control Measures
This objective addresses the question of who has access to customer data. It requires companies to restrict access on a "need to know" basis. Each computer user must be assigned a unique ID. Physical access to data as well as computer access must be restricted.
Regularly Monitor and Test Networks
The purpose of this objective is to ensure that networks are not compromised. Companies must track all access to the network or to customer data, and must regularly test their security systems.
Maintain an Information Security Policy
Under this objective, companies must standardize and maintain a corporate policy for information security. This ensures uniformity and clearl lines of responsibility in security.
Prior to the implementation of the PCI Data Security Standard, there were five individual programs, administered by MasterCard, Visa, American Express, Discover Network and JCB. In 2004, the companies merged their individual standards to form the PCI Data Security Standard. In 2006, an updated version was announced.
The deadline for compliance with the PCI Data Security Standard update was October 1, 2007. However, compliance has thus far been uneven. Virtually every company has some level of data security in place, but many merchants have not yet become fully compliant.
It can be difficult and expensive to retrofit existing networks to meet the new requirements. Additionally, many companies are unclear about the new guidelines and may be waiting until the first audit to determine exactly what changes need to be made.
The Future of PCI
A new set of Payment Applications Security Mandates were announced in October 2007. By 2010, new merchants must be compliant in order to receive authorization to accept credit card payments.