The payment card industry (PCI) has declared war on credit card fraud. All merchants and service providers that store, process, or transmit cardholder data must comply with 12 core requirements.

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

A firewall is a software and/or hardware system or combination of systems that secures a network, protecting it from access by unauthorized users from inside or outside the network.

In addition, small business computers that interact with credit card data must also have a third party firewall installed.  The Windows Firewall is not adequate. Contact third party vendors such as Zone Alarm, Norton Utilities, or McAfee.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Requirement 3: Protect stored cardholder data.

Keep cardholder data storage to a minimum. The cardholder's credit card number, name, and expiration can be stored.  The full magnetic data and security code (CVV2) CANNOT.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

You must use strong cryptography and security protocols such as Secure Sockets Layer (SSL)/Transport Layer Security (TLS) and Internet Protocol Security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks such as the Internet or wireless network.

Requirement 5: Use and regularly update anti-virus software or programs.

In addition to maintaining current releases of anti-virus software, implement sound email policies against opening spam mail or unknown attachments, which can conceal malicious code.

Requirement 6: Develop and maintain secure systems and applications.

One of the sub-points of this PCI requirement mandates that merchants keep their networks and systems current by installing all vendor security patches as they are released from software and hardware vendors.

Microsoft routinely sends out security updates electronically, indicated by an icon in the system tray. All updates must be installed immediately.

Requirement 7: Restrict access to cardholder data by business need-to-know.

Merchants must limit access to cardholder data to only those individuals whose job requires such access.

Requirement 8: Assign a unique ID to each person with computer access.

This requirement mandates that every user with access to your network be known and authorized with a unique user name and password or other authenticating ID such as an electronic thumbprint.

Requirement 9: Restrict physical access to cardholder data.

Cameras should be installed to monitor sensitive areas, with audits to correlate with other entries. For example, employee X used a card key to enter the data center. Camera data verifies that only employee X entered at that time.

If you operate a non-retail business, visitors need to be checked in and out of the building in a log book which will be kept for at least three months, unless restricted by law. They must be provided with a badge or wearable temporary access card that makes them easily distinguishable to all personnel.

Strict control are required on the storage of paper and electronic media, computers, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes that contain cardholder data.

Requirement 10: Track and monitor all access to network resources and cardholder data.

Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis if something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.

Tracking logs should be able to piece together every single action taken by anyone on the network and be saved for at least one year.

Requirement 11: Regularly test security systems and processes.

Requirement 12: Maintain a policy that addresses information security.