Payment Card Industry, dealing with the mandated security for passing around or storing credit and debit card information.
The Payment Card Industry (often abbreviated as PCI) is the collection of companies that produce a formal PCI Data Security Standards (PCI DSS).
These standards mandate a number of things within the architecture, administration, and roles that is used when developing software that handles payment cards which are listed in the PCI DSS.
These include frequency of software patches, development practices, access to system, amount of encryption necessary, and roles that a given individual is allowed to have.
At a high level, these are summarized as:
* Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords
and other security parameters
* Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
* Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software on all
systems commonly affected by malware
6. Develop and maintain secure systems and applications
* Implement Strong Access Control Measures
7. Restrict access to cardholder data
8. Assign a unique ID to each person
9. Restrict physical access to cardholder data
* Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and data
11. Regularly test security systems and process
* Maintain an Information Security Policy
12. Maintain a policy that addresses information security
The above list is from the Requirements and Security Assessment Procedures v2.0
As developers, requirement 6 (development practices) and 7 (roles and responsibilities for access) tend to be the ones of most interest.
Many of these are security issues, and the pci-dss tag on Security.StackExchange has a significant amount of information.
