PCI compliance assessment is done once a year by an external auditor. As a part of the audit the company’s environment, network, process and business procedures are reviewed to see how Credit Card related data is transmitted or stored are evaluated by the auditor and compared against the set PCI DSS.<!>The following are the very high level requirements that need to be meet by the company in order to get the PCI compliance.
1. Install and maintain a firewall configuration to protect data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored data (typically encryption).
4. Encrypt transmission of cardholder data across public networks.
5. Anti-Virus, setup required to prevent attacks for virus.
6. Develop and maintain secure systems and applications (Software Development).
7. Restrict access to data by business need-to-know.
8. Assign a unique ID to each person with computer access (Passwords).
9. Restrict physical access to cardholder data (Physical Security / Backups)
10. Logging of Events for audit and tracking purposes.
11. Security Testing, generally done via a penetration test software to find out vulnerabilities.
12. Information Security Policy and other policies.