PCI DSS Requirements

The Payment Card Industry Data Security Standard (PCI DSS) outlines the requirements for all merchants, banks and payment processors that handle payment card data. The following outlines the basic requirements of PCI DSS. Please note that many of the requirements below are met by Credit Card Operations and are NOT the responsibility of individual departments accepting credit card payments.

Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security

The PCI standard requires all merchants to complete a Self Assessment Questionnaire (SAQ) every year. All departments accepting payment card information will complete an anuual SAQ as part of the audit process. The departmental SAQ will be online and departments will be notified via email the annual due date of completion.