Billing: PCI Compliance

A summary of the key PCI Requirements

The PCI Security Standards Council touches the lives of hundreds of millions of people worldwide. A global organisation, it maintains, evolves and promotes Payment Card Industry standards for the safety of cardholder data across the globe.

PCI serves those who work with and are associated with payment cards. This includes: merchants of all sizes, financial institutions, point-of-sale vendors, and hardware and software developers who create and operate the global infrastructure for processing payments.

There are two priorities work PCI does:

• Helping merchants and financial institutions understand and implement standards for security policies, technologies and ongoing processes that protect their payment systems from breaches and theft of cardholder data.

• Helping vendors understand and implement standards for creating secure payment solutions.

The Prioritised Approach

“The Prioritised Approach” provides six security milestones that guide merchants and other organisations to incrementally protect against the highest risk factors and escalating threats while making progress toward their overall PCI DSS compliance.

1. Remove sensitive authentication data and limit data retention — This milestone targets key risk areas for those who have been compromised — if you don’t need it, don’t store it.

2. Protect systems and networks — Be prepared to respond to a system breach — this milestone targets points of access to most compromises, and response processes.

3. Secure payment card applications — Controls for applications, application processes, and application servers have been shown to be easy prey when weaknesses exist.

4. Monitor and control access to your systems — This milestone provides controls to allow you to detect the who, what, when, and how of who is accessing your network and cardholder data environment. A blind spot for many who have been compromised.

5. Protect stored cardholder data — If you must store Primary Account Numbers (PAN), this milestone targets key protection mechanisms for that stored data.

6. Finalise remaining compliance efforts and ensure all controls are in place.