Accepting online payments

Payment Card Industry Data Security Standard compliance

Guide

The Payment Card Industry Data Security Standard (PCI DSS) - is a worldwide security standard developed to protect cardholders' personal information. It includes requirements for security management, network architecture, software design, security policies and procedures, and other protection of customer account data. The standard is applicable to any organisation that stores, transmits or processes cardholder information.

PCI DSS is a set of six principles that encompass 12 specific requirements. These requirements are applicable to any organisation holding personal information and are intended to reduce the organisation's risk of a data breach.

PCI DSS: six principles

1. Build and maintain a secure network

  • install and maintain a firewall configuration to protect your cardholders' data
  • do not use vendor defaults for system passwords or other security actions

2. Protect your cardholder data

  • protect any stored cardholder data
  • encrypt transmission of your cardholders' data across open, public networks

3. Keep a vulnerability management plan

  • always use and regularly update your anti-virus software
  • develop and maintain secure systems and applications

4. Implement strong access control practices

  • limit access to cardholder data to only those who need to know
  • give every person with computer access a unique ID
  • limit physical access to cardholder data

5. Monitor and test your networks on a regular basis

  • track and monitor all access to your network resources and cardholder data
  • regularly test security systems and procedures

6. Keep an information security policy

  • always keep a policy that addresses your information security

The Payment Card Industry (PCI) Security Standard Council encourages businesses to comply with PCI DSS and become certified to help reduce financial risks from data compromises. However, it is the payment card schemes, eg MasterCard or Visa, that manage the actual compliance programme. 

Failure to be annually certified can become an issue if you have a security breach and your customers' card details are stolen.