Credit and Debit Card Processing For
Retail, Mail Order, eCommerce and Call Centres

email: web:www.eft-pos.com tel: +44 (0)1524 380881

Commidea logoOcius and business partner logo
Home Public Area User Area Developer Area Partners News Chip and Pin Products Contact
public > merchant

PCI Data Security

eft-pos echo logo


The purpose of the Payment Card Industry (PCI) Data Security Standard is to help merchants, payment processors and service providers improve their data security measures in order to safeguard cardholder account and transaction information. The PCI Data Security standard has been created from the rationalisation of Visa’s AIS and CISP programmes and Mastercard’s Site Data Protection (SDP) programme. The PCI Data Security Standard is a worldwide standard for cardholder data protection across the payment industry.


The PCI Data Security Standard lists 12 requirements that companies must satisfy and demonstrate compliance with. These are described below and expanded in the PDF.:

  1. Install and maintain a firewall configuration to protect data
  2. Do not use vendor supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder and sensitive information across public networks
  5. Use and regularly update anti-virus software
  6. Develop and maintain secure systems and applications
  7. Restrict access to data on a business need-to-know basis
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for employees and contractors

Download / view the PCI Data Security Standard v1.1 September 2006 (PDF - 85K)


We strongly recommend that you implement systems and procedures to adhere to the PCI requirements. This will help you to protect your customers' information from the risk of fraud and increase your customer's confidence..

As well as protecting your customers, appropriate data security practices limit your exposure to risk and minimise the losses and operational expenses incurred from compromised cardholder account information. The financial and resource outlay to meet the PCI requirements is minimal compared with the costs associated with the reactive hiring of security and public relations specialists, or the loss of significant revenue and goodwill that can result from a security compromise.

The PCI Data Security standard gives you a framework to work to and will help you in implementing security processes within your organisation for the protection of all data not just that related to card transactions and cardholder data. In addition it will provide you with greater awareness of security measures and preventative options available.

For further information and formal programmes from Visa and Mastercard that give more detail on implementing and demonstrating conformance to the standards please see the following:

The Visa Account Information (AIS) Security Programme

The Mastercard Site Data Protection (SDP) Programme

If you are developing online shopping carts or any other web based programs that utilise customer details and online credit and debit card processing then you should also look at the following for help and advice regarding developing secure software.

The Open Web Application Security Project





Subscribe to EFT-POS mailing list

Chip and Pin - Ocius for PCs PinPad Solution

Payment Card Industry - Data Security Standard

XML Card Processing interface for web and applications

Advice for people wanting to start accepting cards