The 12 PCI DSS Requirements

PCI DSS is organized into six goals containing 12 requirements. Each requirement has detailed sub-requirements and testing procedures. Understanding the structure helps you plan your compliance program effectively.

Build and Maintain a Secure Network

Requirement 1: Install and maintain network security controls. Implement firewalls and network security controls to protect the cardholder data environment. Define and enforce rules governing traffic flow between trusted and untrusted networks.

Requirement 2: Apply secure configurations to all system components. Change default passwords, remove unnecessary services, and harden system configurations. Default settings from vendors are well-known to attackers and must be changed.

Protect Account Data

Requirement 3: Protect stored account data. Minimize cardholder data storage. When storage is necessary, protect it using encryption, truncation, masking, or hashing. Never store sensitive authentication data after authorization.

Requirement 4: Protect cardholder data with strong cryptography during transmission. Encrypt cardholder data when transmitted over open, public networks. Use strong cryptographic protocols and ensure certificates are valid.

Maintain a Vulnerability Management Program

Requirement 5: Protect all systems and networks from malicious software. Deploy anti-malware on all systems commonly affected by malware. Keep anti-malware current and active.

Requirement 6: Develop and maintain secure systems and software. Apply security patches promptly. Develop software securely following industry standards. Protect web applications against common vulnerabilities.

Implement Strong Access Control Measures

Requirement 7: Restrict access to system components and cardholder data by business need-to-know. Implement access controls based on least privilege. Define access needs for each role.

Requirement 8: Identify users and authenticate access to system components. Assign unique IDs to all users. Implement multi-factor authentication for administrative access and remote access to the cardholder data environment.

Requirement 9: Restrict physical access to cardholder data. Implement physical access controls to facilities and systems containing cardholder data.

Regularly Monitor and Test Networks

Requirement 10: Log and monitor all access to system components and cardholder data. Implement logging and monitoring across all systems in scope. Review logs regularly for anomalies.

Requirement 11: Test security of systems and networks regularly. Conduct vulnerability scans, penetration tests, and wireless access point detection regularly.

Maintain an Information Security Policy

Requirement 12: Support information security with organizational policies and programs. Establish and maintain a comprehensive security policy. Conduct security awareness training. Implement an incident response plan.

In the next lesson, we will cover Self-Assessment Questionnaires.