Skip to content

What are the 12 requirements for PCI DSS?


What is PCI DSS?

PCI DSS, short for Payment Card Industry Data Security Standard, is a set of requirements designed to ensure the security of cardholder data during credit card transactions. Established by major credit card companies, including American Express, Visa, and Mastercard, PCI DSS aims to protect sensitive customer information from unauthorized access or breach. Compliance with PCI DSS is mandatory for organizations that handle credit card transactions, including merchants, banks, and service providers. By adhering to these requirements, organizations can establish robust security controls and measures to protect cardholder data, maintain customer trust, and mitigate the risk of potential data breaches. Failure to comply with PCI DSS may result in severe financial penalties, loss of reputation, and increased vulnerability to cyberattacks. Therefore, understanding the 12 key requirements of PCI DSS is crucial for organizations seeking to maintain a secure environment for cardholder data.

Overview of PCI requirements

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure the secure handling of credit card information. There are 12 requirements within the PCI DSS that organizations must comply with in order to protect cardholder data. These requirements are grouped into six objectives:

  1. Build and maintain a secure network: This involves securing network resources, implementing firewalls, and configuring them properly.
  2. Protect cardholder data: Organizations must use strong access control measures, encrypt cardholder data where it's stored, and transmit it securely.
  3. Maintain a vulnerability management program: Regularly update and patch systems, use anti-virus software, and maintain secure configurations.
  4. Implement strong access control measures: This includes restrictions on physical access to cardholder data environments, use of unique user IDs for personnel, and implementing role-based access control.
  5. Regularly monitor and test networks: Organizations must track and monitor all access to network resources, regularly test security systems and processes, and maintain audit trail records.
  6. Maintain an information security policy: Establish and maintain a security policy that addresses the protection of cardholder data and security requirements.

These requirements cover areas such as network security, data protection, access control, monitoring, and testing. By complying with these requirements, organizations can ensure the security of cardholder data and reduce the risk of data breaches.

Requirement 1: build and maintain a secure network

To comply with the Payment Card Industry Data Security Standard (PCI DSS), organizations must first focus on building and maintaining a secure network. This involves implementing appropriate security controls and measures to protect cardholder data. One key aspect is securing network resources by establishing a secure network architecture that segregates and isolates the cardholder data environment from public networks. Additionally, organizations are required to deploy and maintain firewalls that are properly configured to secure the network perimeter and control access to sensitive information. By enforcing these measures, organizations can significantly reduce the risk of unauthorized access and protect the confidentiality and integrity of customer payment card data. It is essential to regularly review and assess the effectiveness of these security controls to ensure ongoing compliance with PCI DSS requirements and safeguard against potential security risks.

Firewall configuration

Configuring a firewall is crucial to meeting the firewall requirements of the Payment Card Industry Data Security Standard (PCI DSS). A properly configured firewall helps protect the payment card data environment from unauthorized access and potential security breaches.

To configure the firewall and routers to safeguard the payment card data environment, start by establishing firewall and router rules and standards that determine what traffic is allowed and blocked. This involves defining specific access control policies and creating rule sets that restrict access to cardholder data.

The firewall configuration must adhere to PCI DSS guidelines, which include blocking public networks, implementing secure network architecture, and disabling default passwords. Additionally, strong access control measures such as role-based access control should be enforced, and regular audits should be conducted to ensure compliance.

When configuring the firewall, it is important to consider physical security as well. Limit physical access to the devices to prevent unauthorized tampering or configuration changes.

Regularly review and update firewall configurations to address new vulnerabilities and security risks. Establishing a vulnerability management program is essential to keep up with security patches and counter any potential threats.

By following these steps and adhering to the PCI DSS firewall requirements, organizations can establish secure configurations that protect sensitive cardholder data and ensure compliance with the industry standards.

Secure networks for transmission of cardholder data

Secure networks are essential for the transmission of cardholder data to ensure the privacy and integrity of sensitive information. To achieve this, encryption technology plays a critical role in safeguarding cardholder data during transit.

Encryption involves converting plaintext cardholder data into an unreadable format using complex algorithms. This ensures that if the data is intercepted, it will be useless to unauthorized individuals. Secure protocols such as TLS (Transport Layer Security) or SSH (Secure Shell) are commonly used to establish secure connections between devices over networks.

By utilizing secure networks and encryption technology, businesses can protect cardholder data from the risks associated with transmitting it over open or public networks. These networks pose significant security threats, as they are often vulnerable to interception and eavesdropping by attackers. Without encryption, cardholder data transmitted over these networks can easily be accessed and exploited by malicious individuals.

Encrypting transmissions of cardholder data adds a layer of protection, making it extremely difficult for unauthorized parties to decipher the information if intercepted. It ensures that only authorized recipients with the appropriate decryption keys can access and make sense of the transmitted data. By employing encryption technology and secure network protocols, businesses can significantly reduce the risks associated with the transmission of cardholder data, ensuring the confidentiality and security of sensitive information.

Requirement 2: protect cardholder data

Protecting cardholder data is one of the paramount requirements of the Payment Card Industry Data Security Standard (PCI DSS). This requirement focuses on the need to implement strong security measures to ensure the confidentiality and integrity of cardholder data. To comply with this requirement, organizations must employ encryption, secure protocols, and secure networks to safeguard cardholder data from unauthorized access or interception. Encryption technology transforms cardholder data into unreadable formats using complex algorithms, making it useless to unauthorized individuals. Secure protocols such as Transport Layer Security (TLS) or Secure Shell (SSH) are utilized to establish secure connections between devices over networks. By implementing these security measures, businesses can significantly reduce the risks associated with transmitting and storing sensitive cardholder data.

Access to cardholder data environment

Access to the cardholder data environment (CDE) is a critical aspect of ensuring PCI DSS compliance. The Payment Card Industry Data Security Standard (PCI DSS) outlines specific requirements regarding access to cardholder data to protect sensitive information and minimize security risks.

To comply with PCI DSS, organizations must ensure that access to cardholder data is limited to authorized personnel only. This includes implementing strong access control measures, such as role-based access control (RBAC), to ensure that only those individuals who require access can access the data.

Additionally, organizations must distinguish between on-site personnel and visitors, implementing measures to prevent unauthorized access. This can include visitor badges, escorting procedures, and physical barriers to restrict access to sensitive areas.

Securing media containing cardholder data is also a requirement. Organizations should implement measures to safeguard media, such as encryption and physical locks, to prevent unauthorized access.

Furthermore, organizations must store media backups in a safe, off-site location. This helps protect against data loss due to theft, physical damage, or natural disasters.

When media containing cardholder data is no longer needed, it must be properly destroyed to prevent unauthorized retrieval. This can involve shredding, burning, or degaussing the media to render it unreadable and unusable.

By adhering to these requirements for access to the cardholder data environment, organizations can enhance security, mitigate vulnerabilities, and ensure compliance with PCI DSS.

Default passwords and security parameters

Default passwords and security parameters play a crucial role in ensuring PCI DSS compliance and protecting cardholder data. Using default passwords can leave systems vulnerable to attack and pose significant risks to the security of cardholder data.

Default passwords are pre-set passwords that are commonly used by manufacturers or vendors to simplify the initial setup of devices. However, these passwords are well-known and widely available online, making them an easy target for hackers. If default passwords are not changed, unauthorized individuals can gain access to the system and potentially compromise sensitive cardholder data.

To address this requirement, organizations must take several necessary steps. Firstly, they need to create an inventory of all devices within the cardholder environment to identify any potential areas of vulnerability. Next, organizations must ensure that default passwords are changed to strong, unique passwords that are known only to authorized personnel.

Requirement 3: maintain a vulnerability management program

Requirement 3 of the Payment Card Industry Data Security Standard (PCI DSS) focuses on the need for organizations to maintain a strong vulnerability management program. This program involves identifying and addressing vulnerabilities in their systems and networks to ensure the protection of cardholder data. By regularly assessing and remediating vulnerabilities, organizations can reduce the risk of unauthorized access and potential breaches. This requirement emphasizes the importance of staying proactive in identifying and addressing security vulnerabilities to maintain a secure environment for sensitive payment card data.

Anti-Virus software/programs

Anti-virus software plays a crucial role in protecting systems against malware, making it an essential component of PCI DSS requirements. To ensure a secure environment, organizations must implement and regularly update reputable anti-virus software on all systems commonly affected by malicious software. This not only safeguards sensitive cardholder data but also helps prevent security breaches that could put customers' information at risk.

PCI DSS mandates that organizations ensure their anti-virus software is active, up to date, and fully operational. Regular scans should be conducted to detect and eliminate any potential threats. By implementing such software, businesses can effectively mitigate the risks associated with malware attacks, enhance the overall security posture, and comply with PCI DSS standards.

Additionally, PCI DSS recognizes that some systems may be less commonly affected by malware. To address this, periodic evaluations should be conducted to assess the presence of malicious software and implement appropriate security measures.

Regularly update systems and applications

Regularly updating systems and applications is crucial to maintaining PCI DSS compliance. This ensures that all computing systems within the cardholder data environment have the latest security patches and fixes in place. By promptly installing updates, businesses can address known vulnerabilities and reduce the risk of unauthorized access or data breaches.

One specific requirement of PCI DSS is to keep antivirus software up-to-date. This helps organizations protect against malicious software and detect any potential threats or malware on their systems. Regular scans should also be conducted to identify and eliminate any suspicious activity. These controls not only detect potential security breaches but also provide an audit trail of user activities for monitoring and analysis purposes.

Regularly updating systems and applications is essential to strengthen security parameters and protect sensitive cardholder data. By implementing these measures, organizations can maintain compliance with the PCI DSS security standard, mitigate security risks, and enhance overall data protection. It is vital for businesses to prioritize these updates to ensure the ongoing integrity and security of their payment card transactions.

Requirement 4: implement strong access control measures

Requirement 4 of the Payment Card Industry Data Security Standard (PCI DSS) focuses on implementing strong access control measures to protect cardholder data. Access to network resources and sensitive authentication data should be restricted based on business need. This requirement aims to prevent unauthorized access to cardholder data and reduce the risk of potential security breaches. Organizations are required to establish and adhere to an access control policy that defines access privileges for different roles within their environment. This policy should include the use of unique user IDs, strong passwords or multi-factor authentication, and regular reviews of user access rights. By implementing strong access control measures, organizations can ensure that only authorized individuals have access to sensitive data, reducing the risk of data theft. This requirement is crucial in maintaining the security and integrity of payment card transactions.

Unique ID per user account/password guidelines

One of the requirements for PCI DSS compliance is the implementation of unique ID per user account/password guidelines. This ensures that each person with computer access in the cardholder environment is assigned a unique identifier, allowing for the tracking and monitoring of their activities.

Assigning a unique ID to each user helps in maintaining accountability and traceability within the organization. It ensures that there is a clear record of who accessed the system and performed various actions, making it easier to identify potential security breaches or suspicious activities.

Additionally, two-factor authentication is crucial in enhancing the security of user accounts. It adds an extra layer of protection by requiring users to provide two different forms of identification, typically a password and a unique token or code. Highly secure methods like RADIUS or TACACS tokens can be used for this purpose.

By implementing these unique ID per user account/password guidelines and using two-factor authentication, companies can strengthen their security measures and reduce the risk of unauthorized access to sensitive cardholder data. This not only helps in achieving PCI DSS compliance but also protects the organization and its customers from potential security breaches.

Physical access restrictions

Physical access restrictions are vital for PCI DSS compliance, as they ensure that only authorized personnel have access to cardholder data and sensitive information. These restrictions help protect against unauthorized access, theft, or tampering.

To comply with PCI DSS requirements, organizations must implement measures such as key cards, access control systems, locked doors, and restricted areas. Key cards can provide physical access to specific individuals and can be deactivated immediately if lost or stolen, preventing unauthorized entry. Access control systems further enhance security by restricting access to only authorized individuals, limiting the risk of unauthorized access.

Securing physical records is also crucial for PCI DSS compliance. Organizations should store sensitive information, such as payment card data, in locked filing cabinets or secure rooms. This prevents unauthorized individuals from accessing physical records and provides an additional layer of protection against theft or tampering.

Maintaining visitor logs is another important practice for PCI DSS compliance. By keeping a record of all visitors entering restricted areas, organizations can monitor access and quickly identify any potential security breaches or suspicious activities.

Lastly, portable assets containing cardholder data, such as laptops or external storage devices, must be adequately protected. Encryption and strong access controls should be implemented to prevent unauthorized access to these devices, minimizing the risk of sensitive information being compromised.

Requirement 5: regularly monitor and test networks

Requirement 5 of PCI DSS focuses on regularly monitoring and testing networks to ensure ongoing security and prevent unauthorized access. It is crucial for organizations to establish a robust monitoring and testing process to detect and address any potential vulnerabilities or security breaches proactively.

Regular monitoring involves continuously monitoring network activities, user activities, and access logs to identify any suspicious or unauthorized activities promptly. This includes monitoring and analyzing firewall configuration, security policy, security parameters, and audit trails to ensure compliance with security requirements.

Ongoing testing is equally important to evaluate the effectiveness of security controls and identify vulnerabilities that could potentially be exploited. Organizations are required to conduct regular vulnerability scans at least quarterly to identify any system weaknesses that could be exploited. These scans should be performed using a reputable scanning solution to assess all system components and the scope of the cardholder data environment.

Furthermore, organizations must conduct penetration testing at least annually or after any significant changes to the network infrastructure. This testing simulates real-world attacks to identify potential vulnerabilities and weaknesses in the system. It helps organizations understand their security posture and address any identified vulnerabilities promptly.

To enhance network security, organizations should also implement additional security systems such as intrusion detection and prevention systems (IDS/IPS) and file integrity monitoring (FIM). IDS/IPS detect and prevent unauthorized access, analyze network traffic for potential threats, and respond to security incidents promptly. FIM ensures the integrity of critical system files by monitoring and alerting any unauthorized changes.

By regularly monitoring and testing networks, organizations can identify and address potential security risks, ensuring the ongoing protection of cardholder data and compliance with PCI DSS requirements.

General thought leadership and news

6clicks receives ISO 42001 certification for its AI Management System

6clicks receives ISO 42001 certification for its AI Management System

Melbourne, Australia – 18 November 2024. 6clicks, pioneer of the first AI-powered GRC (Governance, Risk, and Compliance) software, is proud to...

Hailey’s newest updates: Risk & issue generation + compliance mapping

Hailey’s newest updates: Risk & issue generation + compliance mapping

At 6clicks, we’re continually evolving our AI capabilities to make the process of risk management and compliance faster, smarter, and more intuitive....

Understanding the NIST RMF: Breaking down the 7 key steps

Understanding the NIST RMF: Breaking down the 7 key steps

The NIST Risk Management Framework (NIST RMF) is a flexible framework that can be tailored to your specific organizational profile and regulatory...

Past, present, and future themes in cybersecurity: Are you keeping up?

Past, present, and future themes in cybersecurity: Are you keeping up?

In the ever-evolving landscape of cybersecurity, understanding where we've been, where we are, and where we're going is essential. By examining the...

Why 6clicks is outpacing legacy GRC platforms like Archer, ServiceNow and Diligent

Why 6clicks is outpacing legacy GRC platforms like Archer and more

For years, Archer, ServiceNow, and Diligent were the go-to names in GRC software. Archer’s rich functionality made it a leader, while ServiceNow’s IT...

ServiceNow GRC pricing: Is it worth it in 2025?

ServiceNow GRC pricing: Is it worth it in 2025?

Concerned about ServiceNow GRC’s pricing plans and total cost of ownership? You’re not alone. With a custom pricing structure, determining the...