The Payment Card Industry Data Security Standard (PCI-DSS) is a set of protocols that came out of a VISA USA program, and is now universally accepted by all credit card processors. The purpose of it is to protect card holder data regardless of location, and prevent identity theft. Any company that processes credit card data must comply.

According to the PCI Security Standards Council, there are 12 broad requirements for compliance:

1.      Install and maintain a firewall configuration to protect cardholder data

2.      Do not use vendor-supplied defaults for system passwords and other security parameters

3.      Protect stored cardholder data

4.      Encrypt transmission of cardholder data across open, public networks

5.      Use and regularly update anti-virus software or programs

6.      Develop and maintain secure systems and applications

7.      Restrict access to cardholder data by business need-to-know

8.      Assign a unique ID to each person with computer access

9.      Restrict physical access to cardholder data

10.  Track and monitor all access to network resources and cardholder data

11.  Regularly test security systems and processes

12.  Maintain a policy that addresses information security for employees and contractors

Of course, not all of these are relevant to the email admin, but some of them are. The PCI DSS requirements clearly state that they apply to “all system components,” which means any network component, server, or application that is connected to cardholder data in any way. This would include email servers, and applications that run on the email servers including data protection, anti-virus, and anti-spam applications.

Continue reading PCI-DSS compliance and email security