Complying with the PCI Data Security Standard
What do I have to do to make sure my application security complies with the PCI Data Security Standard?
The Payment Card Industry Data Security Standard, or PCI, is a standard co-developed by Visa and MasterCard. PCI defines a set of requirements for how cardholder information is to be protected and how compliance is to be assured. PCI requires merchants to have their publicly facing networks and Web sites be tested every three months by a certified vendor. PCI compliance assures merchants and the credit card brands that no serious vulnerabilities are present and consumers can shop with confidence.
To make sure you're PCI-compliant, you're going to have to do a couple things. If you're a Level 1 merchant (accepting over 6 million credit card transactions per year), you need to have an Annual On-site Security Assessment and Quarterly Networks Scan performed by an approved vendor. If you're a Level 2 or 3 merchant (accepting between 20,000 and 6 million credit card transactions per year), you need to fill out the Annual Self-Assessment Questionnaire and have Quarterly Networks Scans performed by an approved vendor.
This was first published in January 2006