All businesses that accept credit and debit cards using an integrated payment application and/or e-commerce website should follow these general guidelines.
See Chapter 1 — Securing Sensitive Data, Additional Resources — for specific guidance
- Do regularly monitor and test networks/systems that have payment card data.
- Do implement and enforce a company Information Security Policy.
- Do install and keep up-to-date, a firewall that protects cardholder data stored within company systems.
- Do assign every employee with computer access a unique ID and use a robust password (e.g., mix of letters, numbers, and symbols), which is changed frequently (every 45-60 days).
- Do restrict physical access to company systems and records with cardholder data to only those employees with a business “need-to-know.”
- Do encrypt cardholder data if transmitting it over wireless or open, public networks.
- Do use and regularly update anti-virus software.
- Do have secure company systems and applications (e.g., good and frequent process to update all computers with necessary patches, process for identifying system/application vulnerabilities, etc.).
- Do ensure any e-commerce payment solutions are tested to prevent programming vulnerabilities like SQL injection.
- Do use a Payment Application Data Security Standard (PA-DSS) compliant payment application listed on the PCI Security Standards Council website at https://www.pcisecuritystandards.org/security_standards/vpa/.
- Do verify that any third party service provider you use who handles cardholder data has validated PCI DSS compliance by visiting the PCI Security Standards Council website at www.pcisecuritystandards.org.
- Don't store magnetic stripe cardholder data or the CVV or CVC code (the additional security number on the back of credit cards) after authorization.
- Don't use vendor-supplied or default system passwords or common/weak passwords.
- Don't store cardholder data in any systems in clear text (i.e., unencrypted).
- Don't leave remote access applications in an "always on" mode.