Payment Card Industry Data Security Standard (PCI DSS) is published by the Payment Card Industry Security Standards Council (PCI) for purposes of establishing minimum security requirements for electronic transactions. PCI DSS defines four levels of accountability, depending on audit history and the volume of annual transactions. A summary of these levels is in the chart below.
Level 1 merchants must perform an annual internal audit (signed by an officer of the company) or have such an audit performed by a Qualified Security Assessor (QSA). Merchants at Levels 2 through 4 must complete an annual PCI DSS Self Assessment Questionnaire. Merchants at all levels must submit to quarterly network scans by an Approved Scanning Vendor (ASV).
PCI DSS defines twelve security requirements grouped into six general categories. These are:
1. Install and maintain a firewall.
2. Do not use vendor default passwords and parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across public networks.
5. Use and update anti-virus software.
6. Develop and maintain secure systems and applications.
7. Restrict cardholder data on a need-to-know basis.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to networks and cardholder data.
11. Regularly test security systems and processes.
12. Maintain an information security policy for all employees and contractors.
References:
https://www.pcisecuritystandards.org/
http://www.pcicomplianceguide.org/
http://www.elementps.com/merchants/pci-dss/compliance-level-2/
http://www.pcicomplianceguide.org/merchants-20071022-gaining-pci-compliance.php?step=define