PCI-DSS - Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard for securely processing, storing, or transmitting payment card account data. PCI-DSS is established by leading payment card brands and maintained by the PCI Security Standard Council (PCI SSC).

The PCI-DSS have following compliance levels:
  • Level 1: Merchants or Service Providers  processing over 6 million card transactions annually.
  • Level 2: Merchants or Service Providers  processing 1 to 6 million transactions annually.
  • Level 3: Merchants or Service Providers  processing 20,000 to 1 million transactions annually.
  • Level 4: Merchants or Service Providers  processing fewer than 20,000 transactions annually.
PCI-DSS Requirements
Build And Maintain A Secure Network
  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
Maintain A Vulnerability Management Program
  • Use and regularly update anti-virus software on all systems commonly affected by malware
  • Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  • Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
Regularly Monitor And Test Network
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
Maintain An Information Security Policy
  • Maintain a policy that addresses information security


PCI Council Guidance on BAU
Monitoring of security controls
  • Firewalls
  • File Integrity Monitoring (FIM)
  • Anti-Virus
Periodic Review
  • Configuration
  • Physical security
  • Patches and Anti-Virus
  • Audit logs
  • Access rights
Review changes to environment
  • Addition of new systems
  • Changes or organizational structure
  • Impact of change to PCI DSS scope
  • Requirement applicable to new scope
  • Implement any additional security controls because of change
  • New hardware and software (and older ones) continue to be supported and do not impact compliance
Ensuring failures in security controls are detected and responded
  • Restoring the security control
  • Identifying the root cause
  • Identifying any security issues because of the failure
  • Mitigation
  • Resume monitoring of security control
  • Segregation of duties between detective and preventive controls


PCI DSS Roadmap


Visit following sections for more information’s on next step for getting certified from INTERCERT