6 Categories of the PCI DSS
Do You Know the 6 Categories of PCI DSS?
Any payment card industry entity that handles cardholder data is familiar with the PCI DSS. Because it is an in-depth framework, understanding the PCI DSS to achieve compliance can be a challenge. Entities that transmit, store, or process cardholder data (CHD) must learn the nuances of this regulation.
The first step in this process is understanding how the PCI DSS is structured, and what each part requires for PCI compliance.
WHAT IS THE PCI DSS?
The PCI DSS is separated into 12 security requirements, grouped into 6 categories. Together, these guidelines apply to all system components included in or connected to the cardholder data environment (CDE). By complying with these guidelines, entities reduce data security breaches and payment card fraud that threatens CHD. These guidelines range from protecting physical environments to creating internal security processes.
WHAT ARE THE PCI DSS CATEGORIES?
The 6 PCI DSS categories separate requirements into high-level groups, allowing entities to address different compliance concepts more effectively.
PCI Compliance Category 1: Build and Maintain a Secure Network
Category 1 has two requirements:
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Category 1 focuses on the network security of a CDE. Both requirements, through physical and virtual means, address the creation and maintenance of a network protected from malicious individuals. Firewalls use hardware and/or software technology to provide perimeter protection for a CDE. By avoiding vendor default passwords and settings as means of accessing a network, entities can help ensure that that public information cannot be used by hackers to access systems.
PCI Compliance Category 2: Protect Cardholder Data
Category 2 has two requirements:
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
Category 2 focuses on protecting CHD during storage and transmission. This category offers guidance and testing procedures for data retention, transmission and disposal policies—specifically, whether storage is necessary, how to handle data when it is necessary and how to dispose of data when retirement or replacement is required.
PCI Compliance Category 3: Maintain a Vulnerability Management Program
Category 3 has two requirements:
- Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
- Requirement 6: Develop and maintain secure systems and applications
Both requirements in category 3 provide guidelines for assessing system and application vulnerabilities. Because it is important to both address current security vulnerabilities and prevent future ones, the PCI DSS provides guidance and testing procedures that pertain to malware, software patches, policies and internal procedures.
PCI Compliance Category 4: Implement Strong Access Control Measures
Category 4 has three requirements:
- Requirement 7: Restrict access to cardholder data by business need to know
- Requirement 8: Identify and authenticate access to system components
- Requirement 9: Restrict physical access to cardholder data
Category 4 focuses on the creation of strong mechanisms that limit availability of information or certain resources only to authorized persons or applications. By remaining selective about who accesses CHD and how they access it, control measures can be put in place to achieve security and compliance.
PCI Compliance Category 5: Regularly Monitor and Test Networks
Category 5 has two requirements:
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
Category 5 applies once an entity has implemented system component security measures. To achieve compliance, it is not enough to implement security measures in a cardholder data environment. Entities must monitor and test system components to ensure that the measures are effective and auditable.
PCI Compliance Category 6: Maintain an Information Security Policy
Category 6 has one requirement:
- 12: Maintain a policy that addresses information security for all personnel
Finally, you must create and maintain policies that protect information to ensure confidentiality, integrity, and availability. By implementing organization-wide rules, entities can not only protect information, but also improve workplace security practices overall.
To learn more about the PCI DSS’ requirements, learn about OnRamp’s PCI compliant hosting options, and read our about PCI DSS 12 Requirements overview.