15 Detailed PCI DSS Requirements and Testing Procedures

Figure 5 describes the column headings and content for the PCI DSS requirements.

Figure 5. Understanding the Parts of the Requirements

Additional Requirements for Service Providers Only

Some requirements apply only when the entity being assessed is a service provider. These are identified within the requirement as "Additional requirement for service providers only" and apply in addition to all other applicable requirements. Where the entity being assessed is both a merchant and a service provider, requirements noted as "Additional requirement for service providers only" apply to the service provider portion of the entity's business. Requirements identified with "Additional requirement for service providers only" are also recommended as best practices for consideration by all entities.

Appendices with Additional PCI DSS Requirements for Different Types of Entities

In addition to the 12 principal requirements, PCI DSS Appendix A contains additional PCI DSS requirements for different types of entities. The sections within Appendix A include:

• Appendix A1: Additional PCI DSS Requirements for Multi-Tenant Service Providers.
• Appendix A2: Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections.
• Appendix A3: Designated Entities Supplemental Validation (DESV).