What are the 6 Categories of PCI DSS?

Any payment card industry entity that handles cardholder data is familiar with the PCI DSS. As an in-depth framework, parsing the PCI DSS to achieve compliance can be a challenge. However, it is a necessary challenge for any industry entity that transmits, stores or processes cardholder data (CHD). The first step in this process is understanding how the PCI DSS is structured, and what each part requires for compliance.

What is the PCI DSS?

The PCI DSS is separated into 12 security requirements, grouped into 6 categories. Together, these guidelines apply to all system components included in or connected to the cardholder data environment (CDE). By complying with these guidelines, entities can work toward protecting CHD by reducing data security breaches and payment card fraud. These guidelines range in nature from the protection of physical environments to the creation of internal security processes.

What are the PCI DSS Categories?

The 6 PCI DSS categories separate requirements into high-level groups, allowing entities to address different compliance concepts more effectively.

Below is a breakdown of the categories in the PCI DSS 3.1, as well as an overview of their components.

Category 1: Build and Maintain a Secure Network

Category 1 has 2 requirements:

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

The focus of category 1 is on the network security of a CDE. Both requirements, through physical and virtual means, address the creation and maintenance of a network protected from access by malicious individuals to CHD. Firewalls achieve this by using hardware and/or software technology to provide perimeter protection for a CDE. By avoiding the use of vendor default passwords and settings as means of accessing a network, entities can help ensure that that public information cannot be used by hackers to access systems.

Category 2: Protect Cardholder Data

Category 2 has 2 requirements:

  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks

Category 2 is focused on protecting CHD during storage and transmission. This category offers guidance and testing procedures for data retention, transmission and disposal policies—specifically, whether storage is necessary, how to handle data when it is necessary and how to dispose of data when retirement or replacement is required.

Category 3: Maintain a Vulnerability Management Program

Category 3 has 2 requirements:

  • Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
  • Requirement 6: Develop and maintain secure systems and applications

Both requirements in category 3 provide guidelines for assessing system and application vulnerabilities. Because it is important to both address current security vulnerabilities and prevent future ones, the PCI DSS provides guidance and testing procedures that pertain to malware, software patches, policies and internal procedures.

Category 4: Implement Strong Access Control Measures

Category 4 has 3 requirements:

  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 8: Identify and authenticate access to system components
  • Requirement 9: Restrict physical access to cardholder data

Category 4 focuses on the creation of strong mechanisms that limit availability of information or certain resources only to authorized persons or applications. By remaining selective about who accesses CHD and how they access it, control measures can be put in place to achieve security and compliance.

Category 5: Regularly Monitor and Test Networks

Category 5 has 2 requirements:

  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes

The requirements in category 5 apply once an entity has put system component security measures in place. This is because, to achieve compliance, it is not enough to implement security measures in a cardholder data environment. Entities must monitor and test system components to ensure that the measures are effective and auditable.

Category 6: Maintain an Information Security Policy

Category 6 has 1 requirements:

  • 12: Maintain a policy that addresses information security for all personnel

The final component of creating a PCI compliant IT environment is in creating and maintaining policies that protect information to ensure confidentiality, integrity and availability. By implementing organization-wide rules, entities can not only protect information, but improve workplace security practices overall.

To learn more about the PCI DSS’ requirements, learn about OnRamp’s PCI compliant hosting options, and read our About PCI DSS 12 Requirements overview.