7: Restrict access to cardholder data by business need-to-know
8: Assign a unique ID to each person with computer access
9: Restrict physical access to cardholder data
Regularly monitor and test networks
10: Track and monitor all access to network resources and cardholder data
11: Regularly test security systems and processes
Maintain an information security policy
12: Maintain a policy that addresses information security for employees and contractors
There are three stages that each and every merchant or provider must go through to become compliant. First, they are required to secure the collection of all log data and ensure that it is in tamper-proof storage and easily available for analysis. Second, companies must be in a position to prove they are compliant on the spot if they are audited and asked to present evidence that controls are in place for protecting data. Third, they must have systems in place, such as auto-alerting, which help administrators to constantly monitor access and usage of data. These systems must enable administrators to receive immediate warnings of problems and be in a position to rapidly address them. These systems should also extend to the log data itself – there must be proof that log data is being collected and stored.
The requirements make a clear distinction between merchants and service providers and what they need to do to become compliant. All merchants that acquire payment card transactions are categorized in 4 levels, determined by their number of annual transactions:
- Level 1: Merchants with more than 6 million card transactions & merchants which cardholder data has been compromised.
- Level 2: Merchants with card transactions between 1 and 6 million.
- Level 3: Merchants with card transaction between 20,000 and 1 million.
- Level 4: All other merchants.
Services providers, which include payment gateways, e-commerce host providers, credit reporting agencies and paper shred companies, are categorized in three levels:
- Level 1: All payment processors and payment gateways.
- Level 2: All service providers not in level 1 but with more that 1 million credit card accounts or transactions.
- Level 3: Service providers not in Level 1, with fewer than 1 million annual credit card accounts or transactions.