PCI DSS Requirements

Sensitive information that is easily accessible to malicious individuals must be encrypted during transmission over networks.

Security mechanisms like encryption, truncation, masking, and hashing are critical components of data protection for cardholders. If an attacker circumvents other security checks and gains access to encrypted data without the correct cryptographic keys, the data will be unreadable and unusable to that individual.

External and internal malicious individuals often use default vendor passwords and other default vendor settings to compromise their systems. These passwords and settings are well known to hacker groups and can be easily accessed through public information.

Firewalls are devices that control computer traffic between an entity's internal network and untrusted external networks, as well as traffic to and from more sensitive areas within an entity's internal trusted networks.

The PCI DSS requirements apply to all system components, including people, processes and technologies that store, process or transmit cardholder data or sensitive authentication data, included in or connected to the cardholder data environment.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards developed in 2004 by Visa, MasterCard, JCB, Discover and American Express. The Security Program, which is governed by the Payment Card Industry Security Standards Council (PCI SSC), seeks to protect online and offline credit and debit card transactions from data theft and fraud.