One of the "Gold Standards" of the financial industry, the PCI-DSS standard applies to any IT systems that deal with credit cards.
There are 12 requirements, divided into 6 control objectives:
- Build and maintain a secure network
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect cardholder data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
- Maintain a vulnerability management program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications
- Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data
- Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes
- Maintain an information security policy 12. Maintain a policy that addresses information security