What Are the 12 Requirements of PCI DSS?

For entities in the payment card industry, protecting cardholder data is paramount. Without safety measures in place to secure payment card information merchants, service providers, PCI compliant hosting providers, acquirers, issuers and processors alike run the risk of compromising cardholder data (CHD), and thus losing the trust of customers and the ability to do business of payment brands and acquirers. This is why adhering to PCI DSS requirements is a necessity for any PCI entity that works with CHD.

What is the PCI DSS?

The Payment Card Industry Data Security Standards is a framework first created in 2006 by the PCI Security Standards Council. Containing 12 requirements in 6 categories, the framework provides a set of guidelines meant to prevent, detect and react to security incidents and breaches. To date there have been 5 incarnations of the PCI DSS. Each version has evolved to accommodate changing PCI environments and technologies.

What are the 12 PCI DSS Requirements

In order to assess data flow, remediate vulnerabilities and achieve documented compliance, entities must adhere to the appropriate PCI requirements as outlined in the PCI DSS. The PCI DSS requirements detail each component of PCI compliance, from data encryption to testing procedures. Together, these 12 requirements make up the framework on which PCI entities rely to secure data and achieve compliance.

PCI DSS 3.1 Requirements

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

All PCI compliant cardholder data environments (CDEs) must be protected from unauthorized access from untrusted networks. Firewall configurations examine network traffic and block transmissions not compliant with specified security criteria.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Because vendor-supplied defaults are especially vulnerable to access by malicious individuals, it is necessary that CDE security measures do not rely on vendor-provided passwords and parameters.

Requirement 3: Protect stored cardholder data

Employ effective protection methods to secure CHD. These methods may include encryption, truncation, masking and hashing.

Requirement 4: Encrypt transmission of cardholder data across open, public networks

To avoid access by malicious individuals, sensitive information must be encrypted during transmission over vulnerable open networks.

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

Use and regularly update anti-virus software or programs to protect networks from malware like viruses, worms and Trojans.

Requirement 6: Develop and maintain secure systems and applications

To account for potential system vulnerabilities, software patches and other appropriate security measures must be installed and maintained.

Requirement 7: Restrict access to cardholder data by business need-to-know

Implement systems and processes that ensure access to CHD by only authorized personnel.

Requirement 8: Identify and authenticate access to system components

Assign a unique ID to each person with computer access to ensure that each individual is accountable for their actions.

Requirement 9: Restrict physical access to cardholder data

Physical access to data or systems that hold CHD should be restricted to certain onsite personnel and visitors.

Requirement 10: Track and monitor all access to network resources and cardholder data

Use system activity logging mechanisms and track user activities in order to prevent, detect or minimize the impact of CHD compromise.

Requirement 11: Regularly test security systems and processes

Test system components, processes and custom software frequently to account for updates and newly-discovered vulnerabilities.

Requirement 12: Maintain a policy that addresses information security for all personnel

Maintain a policy that establishes security expectations for full-time and part-time employees, temporary employees and certain contractors and consultants with access to the CDE.

To learn more about the PCI DSS’ requirements, read our About the 6 Categories of PCI DSS overview.