What is the Payment Card Industry Data Security Standard aka PCI DSS?
The Payment Card Industry Data Security Standard, commonly know as PCI DSS, was developed by the Payment Card Industry Security Standards Council (PCI SSC), which was founded by the five leading credit card companies - MasterCard, Visa, JCB International, Discover and American Express - in 2006 to ensure the security of credit card data.
The PCI DSS is described as: "the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data. It consists of steps that mirror security best practices."
It's not stated but the PCI DSS is also the international standard which organisations need to follow in order to meet PCI compliance.
The steps mentioned above comprise 12 Requirements:
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel
The best way to meet these 12 Requirements is to employ the services of a Qualified Security Assessor (QSA). QSAs are PCI SSC-qualified independent security companies that do all the legwork for you. QSAs go through a rigorous process to become one and this is shown by the fact there are only 383 (currently) QSAs around the world.