The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.
The PCI DSS specifies and elaborates on six major goals, including:
1. A secure network must be maintained in which transactions can be conducted.
2. Cardholder information must be protected wherever it is stored.
3. Systems should be protected against the activities of malicious hackers by using frequently updated anti-virus software, anti-spyware programs, and other anti-malware solutions.
4. Access to system information and operations should be restricted and controlled.
5. Networks must be constantly monitored and regularly tested to ensure that all security measures and processes are in place.
6. A formal information security policy must be defined, maintained, and followed at all times and by all participating entities.
A hotel chain reported that the payment systems in 3 of its locations had been infected with malware. Forensic investigations following the breach concluded that the hotel chain’s point-of-sale terminals at the 3 locations had been compromised resulting in the theft of sensitive cardholder data when payment cards were swiped through the card reader.
Assessments were levied against the hotel chain by credit card companies for failure to maintain proper security controls as required by the Payment Card Industry Data Security Standard.