Compliance with The Payment Card Industry Data Security Standard (PCI DSS) is mandatory for those that accept credit cards and for software providers who have applications that involve the transmission and/or storage of credit card information.
Security controls are as much about physical restrictions as they are about technology systems and procedures. Whether a biller accepts payments online or by mail, they must ensure the physical security of any PC that receives or stores credit card data. Receiving credit card payments by mail adds another layer of responsibility to maintain PCI compliance. Why? Because now they must also exert physical control over paper documents which contain credit card data.
A successful PCI compliance program requires a partnership between your IT staff, your payments vendors and a PCI assessor. The PCI compliance checklist for businesses that handle payment card data consists of these 12 requirements.
- Use a firewall
- Do not use vendor-supplied passwords
- Do not store cardholder data, or if you must, protect it
- Encrypt transmission of cardholder data
- Use anti-virus software
- Maintain secure systems and applications
- Restrict access to cardholder data
- Assign unique user IDs
- Restrict physical access to cardholder data
- Monitor all access to cardholder data
- Regularly test systems and processes
- Maintain a security policy