Professional Documents
Culture Documents
Commonwealth of Massachusetts
Office of the State Comptroller
March 2007
What is PCI DSS?
• Mandatory compliance program resulting
from a collaboration between the credit
card associations to create common
industry security requirements for
cardholder data.
2
More about PCI compliance….
• Common set of industry tools and measurements
to ensure safe handling of sensitive information.
• Actionable framework for developing a robust
account data security process—including
preventing, detecting, and reacting to security
incidents.
• Technical requirements for secure storage,
processing, and transmission of cardholder data.
• Common auditing and scanning procedures.
3
Who has to worry about it?
• If you transact credit card business, you
have to worry about it.
• Merchants and third party providers who
process, transmit, or store cardholder data
are required to adhere to certain data
security standards.
• Applies to credit card business transacted
over all payment channels (POS, mail, IVR,
and e-commerce).
4
Who are the stakeholders?
• Credit card industry – Founders of the PCI
Security Standards Council are Visa,
Mastercard, Amex, Discover, and JCB brands.
• Acquiring banks/member banks – must
require PCI compliance from merchants and
service providers doing credit card business.
• Merchants and service providers – must be
PCI compliant, regardless of channel.
• Our customers.
5
PCI DSS:
Covers 6 Areas/12 Requirements
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and
other security parameters
10
For more information:
• See https://www.pcisecuritystandards.org/index.htm and
http://www.pcicomplianceguide.org for general information.
• Check out the self-assessment questionnaire at:
https://www.pcisecuritystandards.org/pdfs/pci_saq_v1-0.pdf
to assess level of effort and resources to remediate
problems and achieve compliance.
• See http://usa.visa.com and Visa Cardholder Information
Program (CISP) links.
• See http://
www.mastercard.com/us/sdp/assets/pdf/SDP_Presentation.
pdf
for Mastercard Site Data Protection (SDP) information
• Stay tuned for updates on RFR progress.
11