|
The 12
PCI DSS requirements are organized
into 6 main categories. To be fully
compliant, an organization must
satisfy all 12 requirements.
-
Maintain a Secure Network:
Requirements 1 and 2
-
Protect Cardholder Data:
Requirements 3 and 4
-
Maintain a Vulnerability
Management Program: Requirements
5 and 6
-
Implement Strong Access
Controls: Requirements 7, 8, and
9
-
Restrict access to
cardholder data by business
need-to-know
-
Assign a unique ID to each
person with computer access
-
Restrict physical access to
cardholder data
-
Regularly Monitor and Test
Networks: Requirements 10 and 11
-
Maintain an Information Security
Policy: Requirement 12
Source: PCI Security Standards
version 1.1 -
http://www.PCISecurityStandards.org.
In
response to requests from merchants
for a unified set of payment account
data security requirements, members
of the payment card industry (“PCI”)
adopted the PCI Data Security
Standard (“PCI DSS”), a set of
requirements for cardholder data
protection across the entire
industry, maintained by the PCI
Security Standards Council, LLC
(“PCI SSC”), the current version of
which is available on the PCI SSC
web site at
http://www.pcisecuritystandards.org
(the“Website”). Organizations that
are authorized to validate an
entity’s adherence to PCI DSS
requirements are referred to as
“Qualified Security Assessors” or “QSAs”.
Validation of these requirements by
independent and qualified security
companies is important to the
effectiveness of PCI DSS. The
quality, reliability, and
consistency of a QSA’s work provide
confidence that cardholder data are
adequately protected.
Key to
the success of the PCI DSS is
merchant and service provider
compliance. When implemented
appropriately, PCI DSS requirements
provide a well-aimed defense against
data exposure and compromise. As a
result, on-site PCI DSS assessments
performed by Qualified Security
Assessors (“Assessments”) have
become increasingly critical in
today’s environment.
The
proficiency with which a QSA
conducts an Assessment can have a
tremendous impact on the consistent
and proper application of PCI
measures and controls. The current
version of these Payment Card
Industry (PCI) Data Security
Standard Validation Requirements for
Qualified Security Assessors (the
“QSA Validation Requirements”), as
available through the Website,
describes the necessary
qualifications a QSA must have to be
recognized by the PCI SSC to perform
Assessments.
Members of the payment card industry
also adopted the Payment Application
Data Security Standard (the "PA-DSS"),
a set of requirements derived from
and closely related to the PCI DSS,
but intended to illustrate for
payment software vendors what is
required for their payment software
applications to facilitate and not
prevent their customers’ PCI DSS
compliance. The PA-DSS is also
maintained by PCI SSC and is
available as part of the Payment
Application Data Security Standard
and Audit Procedures (“PA-DSS
Security Audit Procedures”) through
the Website. Each QSA organization
that chooses to additionally qualify
to become a Payment Application
Qualified Security Assessor (defined
below) must satisfy the requirements
set forth in the most current
version of the Payment Card Industry
(PCI) Data Security Standard QSA
Validation Requirements—Supplement
for Payment Application Qualified
Security Assessors (PA-QSA)
(available through the Website), in
addition to continuing to satisfy
all general requirements for QSAs. |
