PCI-DSS
Definition
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security requirements established by the PCI Security Standards Council for all organizations that store, process, or transmit cardholder data. PCI-DSS v4.0 includes 12 principal requirements organized into six goals, with compliance validated by Qualified Security Assessors or through Self-Assessment Questionnaires.
The 12 Requirements
Req 1: Install and maintain network security controls
Req 2: Apply secure configurations to all system components
Req 3: Protect stored account data
Req 4: Protect cardholder data with strong cryptography during transmission
Req 5: Protect all systems and networks from malicious software
Req 6: Develop and maintain secure systems and software
Req 7: Restrict access to system components and cardholder data by business need to know
Req 8: Identify users and authenticate access to system components
Req 9: Restrict physical access to cardholder data
Req 10: Log and monitor all access to system components and cardholder data
Req 11: Test security of systems and networks regularly
Req 12: Support information security with organizational policies and programs
Compliance Levels
Level 1
Merchants processing over 6 million transactions annually. Requires annual on-site assessment by a QSA and quarterly network scans.
Level 2
Merchants processing 1 to 6 million transactions annually. Requires annual Self-Assessment Questionnaire and quarterly network scans.
Level 3
Merchants processing 20,000 to 1 million e-commerce transactions annually. Requires annual SAQ and quarterly network scans.
Level 4
Merchants processing fewer than 20,000 e-commerce or up to 1 million total transactions annually. Requires annual SAQ and quarterly scans.