Office of General Services

New York State Office of General Services - Procurement Services - Information For Buyers
Payment Card Industry Data Security Standard (PCI DSS)

As credit card use has become more widespread both offline and online, and as consumer concern about security has understandably grown, the credit card industries have made an effort to ensure that sensitive information is protected.

In September 2006, the major credit card companies (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) formed the PCI Security Standards Council (SSC) and established a set of rules for what they call PCI compliance. These rules have to be followed depending on the size of a business and the number of credit card transactions handled, and if done properly will help protect consumer data from theft.
The Rules for PCI Compliance
The six major categories within the standards established by the PCI SSC are as follows:

  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

Within these six categories are 12 requirements that address particular issues and that are directly related to web application security:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update anti-virus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.

Each requirement for PCI compliance is broken up into a variety of subsections that go into detail about the process, and the full list can be viewed at
New York State Agencies must meet the PCI compliance standards
Based on the number of card transactions handled, NYS agencies will need to file the PCI DSS Self-Assessment Questionnaire annually and if using Internet/Web applications to accept payments, have your Web site scanned by an approved outside vendor at least quarterly. The links above will give you information and a copy of the Self-Assessment Questionnaire and links to approved outside security scanning vendors. The scanning costs are nominal and range from $150 to $500 annually.