What Are the Requirements for PCI DSS Compliance?

PCI DSS consists of 12 core requirements organized under six major categories. Understanding these requirements is essential for implementing effective security controls to protect cardholder data.

The 12 PCI DSS Requirements

1. Install and maintain a firewall configuration to protect cardholder data
   • Create network boundaries around cardholder data
   • Implement network segmentation
   • Configure and manage routers to protect internal networks
   • Regularly review firewall configurations
2. Do not use vendor-supplied defaults for system passwords and other security parameters
   • Change default credentials before deployment
   • Remove unnecessary accounts, services, and functionality
   • Develop security configuration standards for all system components
3. Protect stored cardholder data
   • Minimize storage of cardholder data
   • Implement encryption, truncation, or tokenization for stored data
   • Document data retention and disposal policies
   • Mask displayed payment card numbers
4. Encrypt transmission of cardholder data across open, public networks
   • Use strong cryptography for transmissions over public networks
   • Never transmit unprotected cardholder data via communications technologies
   • Implement policies for secure transmission of cardholder data
5. Protect all systems against malware and regularly update anti-virus software
   • Use anti-virus software on all potentially affected systems
   • Implement advanced malware protection with detection and response capabilities
   • Keep anti-virus mechanisms updated and conduct periodic scans
   • Maintain audit logs of anti-virus activities
6. Develop and maintain secure systems and applications
   • Patch systems promptly
   • Establish secure development processes
   • Separate development/test environments from production
   • Address common coding vulnerabilities in software development
7. Restrict access to cardholder data by business need to know
   • Implement access control systems
   • Restrict access based on job roles and responsibilities
   • Document access control policies
   • Review access rights periodically
8. Identify and authenticate access to system components
   • Assign unique IDs to each user with access to the system
   • Implement strong authentication methods, including multi-factor authentication
   • Secure all authentication credentials
   • Monitor authentication attempts and account usage
9. Restrict physical access to cardholder data
   • Control physical access to facilities and systems
   • Implement procedures for identifying and authorizing personnel
   • Secure media containing cardholder data
   • Manage physical access logs and monitoring
10. Track and monitor all access to network resources and cardholder data
    • Implement automated audit trails
    • Secure audit trail data from modification
    • Review logs and security events regularly
    • Maintain at least one year of audit trail history
11. Regularly test security systems and processes
    • Conduct both internal and external vulnerability scans
    • Perform penetration testing
    • Deploy intrusion detection and prevention systems
    • Use file integrity monitoring tools
12. Maintain a policy that addresses information security for all personnel
    • Establish, publish, and maintain security policies
    • Implement risk assessment processes
    • Develop acceptable usage policies for technologies
    • Ensure security awareness training for all personnel

Validation Requirements

The validation methods depend on the merchant or service provider level:

These requirements ensure that organizations implement appropriate controls based on their risk profile and transaction volume.