PCI Guidelines and Requirements

Below is a summary review of the PCI related programs required for compliance per PCI Security Standards Council

PCI DSS

PCI DSS is built on a basis of principles and requirements helping secure data and protecting your environment. These requirements were developed by the initial founders, the Payment Brands including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. The standards are intended to offer a global foundation for security management, policies, procedures, network architecture, software design and other important security protocols to protect customer data.

Build and Maintain a Secure Network

1: Install and maintain firewall configurations protecting cardholder data
2: Don’t use default system passwords and other security parameters provided by the vendor

Protect Cardholder Data

3: Protect stored cardholder data (or don’t store it at all)
4: Encrypttransmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5: Use, maintain, and update anti-virus software regularly
6: Maintain secure systems and applications

Implement Strong Access Control Measures

7:  Restrict access to cardholder data to an as needed, business need-to-know basis
8:  Assign unique IDs to each person with computer access
9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10: Track and monitor access to network resources and cardholder data at all times
11: Test security systems and processes on a regular basis

Maintain an Information Security Policy

12: Establish and maintain policies addressing information security

PCI DSS Support documents:

• Supporting Documents PCI DSS V1.2
• View PCI DSS V1.2

PIN TRANSACTION SECURITY

PIN transaction security must comply with the requirements and guidelines specified in the following documents.

Payment Card Industry Resources

• Testing and Approval Program Guide (PDF)

Security Requirements

• Encrypting PIN Pad Devices v2.1 (PDF) (DOC)
• Point of Sale Devices v2.1 (PDF) (DOC)
• Hardware Security Module (HSM) v1.0 (PDF) (DOC)
• Unattended Payment Terminals (UPT) v1.0 (PDF) (DOC) 

Evaluation Vendor Questionnaires

• Encrypting PIN Pad Devices v2.1 (PDF) (DOC)
• Point of Sale Devices v2.1 (PDF) (DOC)
• Hardware Security Module (HSM) v1.0 (PDF) (DOC)
• Unattended Payment Terminals (UPT) v1.0 (PDF) (DOC) 

FAQs

• General Frequently Asked Questions (PDF)
• Technical Frequently Asked Questions 2.0 (PDF)

PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

PA-DSS is the Visa’s former program known as the Payment Application Best Practices (PABP). PA-DSS help’s software and other vendors develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data while ensuring complaint payment applications.

• Listing of PCI Security Standards Council Validated Payment Applications
• PA-DSS V1.1 and Supporting Documents
• PA-DSS V1.2 and Supporting Documents

Please check the PCI Security Standards website for any updated documentation or changes to the program requirements

PAYMENT BRAND GUIDELINES

• Visa Guidelines
• MasterCard Guidelines
• American Express
• Discover Financial Services

Jeremy Drzal

512.234.3036