The PCI DSS specifies and elaborates on the following major objectives:
A Secure Network
A secure network must be maintained in which transactions can be conducted. This requirement involves the use of firewalls that are robust enough to be effective without causing undue inconvenience to cardholders or vendors. Specialised firewalls are available for wireless LANs, which are highly vulnerable to eavesdropping and attacks by malicious hackers. In addition, authentication data such as personal identification numbers (PINs) and passwords must not involve defaults supplied by the vendors. Customers should be able to change such data conveniently and frequently.
Protected Systems
Systems should be protected against the activities of malicious hackers by using frequently updated anti-virus software, anti-spyware programmes, and other anti-malware solutions. All applications should be free of bugs and vulnerabilities that might open the door to exploits in which cardholder/account data could be stolen or altered. Patches offered by software and operating system (OS) vendors should be installed regularly to ensure the highest possible level of vulnerability management.
Control Access to System Information
Access to system information and operations should be restricted and controlled. Cardholders/account holders should not have to provideinformation to businesses unless those businesses must know that information to protect themselves and carry out a transaction effectively. Every person who uses a computer in the system must be assigned a unique and confidential identification name or number. Cardholder/account holder data should be protected physically as well as electronically. Examples include the use of document shredders, avoidance of unnecessary paper document duplication, and locks and chains on dumpsters to discourage criminals who would otherwise rummage through the rubbish.
Monitored Networks
Networks must be monitored constantly and tested regularly to ensure that all security measures and processes are in place, are functioning properly, and are kept up-to-date. For example, anti-virus and anti-spyware programmes should be provided with the latest definitions and signatures. These programmes should scan all exchanged data, all applications, all random access memory (RAM) and all storage media frequently if not continuously.
Security Policy
A formal information security policy must be defined, maintained and followed at all times and by all participating entities.