All businesses that accept credit and debit cards using an integrated payment application and/or e-commerce website should follow these general guidelines.
See Chapter 1 — Securing Sensitive Data, Additional Resources — for specific guidance
Do regularly monitor and test networks/systems that have payment card data.
Do implement and enforce a company Information Security Policy.
Do install and keep up-to-date, a firewall that protects cardholder data stored within company systems.
Do assign every employee with computer access a unique ID and use a robust password (e.g., mix of letters, numbers, and symbols), which is changed frequently (every 45-60 days).
Do restrict physical access to company systems and records with cardholder data to only those employees with a business “need-to-know.”
Do encrypt cardholder data if transmitting it over wireless or open, public networks.
Do use and regularly update anti-virus software.
Do have secure company systems and applications (e.g., good and frequent process to update all computers with necessary patches, process for identifying system/application vulnerabilities, etc.).
Do ensure any e-commerce payment solutions are tested to prevent programming vulnerabilities like SQL injection.
Do use a Payment Application Data Security Standard (PA-DSS) compliant payment application listed on the PCI Security Standards Council website at https://www.pcisecuritystandards.org/security_standards/vpa/.
Do verify that any third party service provider you use who handles cardholder data has validated PCI DSS compliance by visiting the PCI Security Standards Council website at www.pcisecuritystandards.org.
Don’t store magnetic stripe cardholder data or the CVV or CVC code (the additional security number on the back of credit cards) after authorization.
Don’t use vendor-supplied or default system passwords or common/weak passwords.
Don’t store cardholder data in any systems in clear text (i.e., unencrypted).
Don’t leave remote access applications in an “always on” mode.