PCI DSS Six Goals, Twelve Requirements

Goal #1: Build and Maintain a Secure Network and Systems

• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other security parameters

 

Goal #2: Protect Cardholder Data

• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks

 

Goal #3: Maintain a Vulnerability Management Program

• Protect all systems against malware and regularly update anti-virus software or programs
• Develop and maintain secure systems and applications

 

 Goal #4: Implement Strong Access Control Measures

• Restrict access to cardholder data by business need-to-know
• Identify and authenticate access to system components
• Restrict physical access to cardholder data

 

Goal #5: Regularly Monitor and Test Networks

• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes

 

Goal #6: Maintain an Information Security Policy

• Maintain a policy that addresses information security for all personnel

 

 

Compliance for each requirement applies to merchants based on Self-Assessment Questionnaire. Assessment of merchant's cardholder data environment is a procedural part of acquiring a Merchant ID (see Section on Merchant Identification Number). The university reporting requirements include the compiled SAQ of university merchants or the implementation of any software involved with the storage, processing, or transmitting of card-holder data as well as the Attestation of Compliance for the SAQ, annually.

The self-assessment questionnaire often referred to as the SAQ or sometimes called the "sack", is a validation tool for merchants self-evaluating their compliance with PCI DSS. There are different versions of the SAQ to meet different merchant environments.