payment card industry

What are the 12 Requirements of PCI DSS Compliance?

By ERMProtect Staff

PCI compliance refers to adherence to a set of standard IT security requirements that the Payment Card Industry Security Standards Council (PCI SSC) has developed. These requirements help businesses – such as retailers, banks, merchants, and service providers ensure that, if they store, process, or transmit cardholder information, they do so securely.

The requirements are laid out in the Payment Card Industry Data Security Standard, commonly referred to as PCI DSS. As payment cards are a widely used method of payment, compliance with PCI DSS is an important consideration that many small, medium, and large businesses are tasked with. PCI compliance solutions focus on areas where organizations can improve their security practices.

The PCI DSS standard is based on a set of 6 goals and 12 requirements designed to meet those goals. The goals include:

  • Building/maintaining secure networks and systems
  • Protecting cardholder data
  • Maintaining vulnerability management programs
  • Implementing strong access control features
  • Regularly monitoring and testing networks, and
  • Maintaining information security policies.

In order to meet these goals, the PCI SSC outlines 12 PCI compliance requirements that businesses and other entities who handle cardholder information follow. These twelve requirements are as follows:

1. Install and maintain a firewall

Importantly, businesses that are storing, processing, or transmitting cardholder data must install and maintain a firewall. Firewalls can block inbound and outbound traffic, and can help businesses keep cardholder information safe. Businesses also are required to ensure that any devices which are used to access cardholder data – including ones such as company issued tablets used by employees - have firewall software or an equivalent.

2. Avoid using vendor supplied default passwords and other security parameters

Default passwords provided by equipment and software vendors represent a serious security risk, since these can be easily discovered on the Internet.

The same principle applies to default security parameters as well. New devices or software often come with default security settings that may not be appropriate for your specific environment or needs. These default settings may be weak or not provide adequate protection against certain types of attacks.

It’s important to always change default passwords and configuration settings before connecting a new system to your network.

3. Protect Stored Cardholder Data

Businesses must exercise robust security practices, and work to protect cardholder data. One of the most important considerations is how long cardholder data is stored for. In order to keep cardholder data safe, it’s important to retain data only as long as necessary, and to get rid of unnecessary stored cardholder data regularly.

4. Encrypt any transmissions of cardholder data across open or public networks.

While there are reasons why cardholder data must be transferred across public or open networks, it’s important to encrypt these transmissions in order to safeguard critical information. Any time cardholder data is transmitted across open networks, it must be encrypted. This helps ensure that, even if data is intercepted or viewed, it isn’t necessarily compromised.

5. Protect systems from malware/regularly update antivirus software

Since malicious software, or malware, is a common and widespread threat, especially to end devices such as personal computers and network infrastructure such as servers, it’s important that organizations handling cardholder data protect their systems from malware. The PCI SSC requires that entities which store, transmit, or process cardholder data implement antivirus mechanisms such as antivirus software on systems commonly affected by malware and conduct periodic evaluations of systems less commonly affected by malware.

6. Develop and maintain secure systems and applications

Businesses and other entities handling cardholder data must ensure that systems and applications they’re using are secure. In order to do so, they should take proactive security measures, including installing the most recent security patches available, developing applications and other systems.

7. Restrict access to cardholder data with only business need-to-know exceptions

One way to help ensure that data stays secure is to limit the amount of users who have access to it on digital systems. The PCI SSC requires that entities which process, store, or transmit cardholder data take certain measures to limit access to only users who need to access cardholder data in order to do their job.

8. Identify and authenticate access to system components

In order to protect the security of vital systems, businesses and other entities adhering to PCI DSS requirements must ensure that all users who access these systems have assigned IDs and must implement security measures used to access systems, such as passwords, biometrics, or token devices.

9. Restrict access to physical cardholder data

Not all cardholder data is digital. Data which is physically stored must also be kept secure. As such, it’s important for businesses, and other entities handling cardholder data, to take measures to ensure that access to physical cardholder data is protected as well. This might include, but is not limited to, limiting access to certain areas where sensitive data is stored, and monitoring access to certain areas.

10. Track and monitor all access to network resources and cardholder data

Importantly, organizations need to know who has access to network resources and cardholder data, and when. Detailed security logs can help organizations better understand potential vulnerabilities and take appropriate action should a system fail.

11. Regularly test security systems and processes

While setting up initial security measures is vital, so is continuous testing and analysis. Regular testing of security systems and processes can help entities protect valuable cardholder data and stay ahead of potential security threats.

12. Maintain a policy that addresses information security for all personnel

As businesses and other entities handling cardholder data can have many moving parts, it’s important that across the entire organization, each individual is aware of their responsibilities as far as information security goes. The PCI SSC requires that in order to remain PCI DSS compliant, businesses must take measures such as maintaining, publishing, and disseminating a security policy to be reviewed each year.

PCI Compliance Solutions for Your Organization

PCI DSS compliance is important across a wide range of industries, from hospitality to finance. Businesses and other entities which deal with sensitive cardholder data should be familiar with PCI DSS requirements, and understand why each requirement is an important component of a robust security policy. By better understanding the requirements for PCI DSS compliance, organizations can better ensure that their own security practices are compliant. Through a PCI compliance audit, organizations may be able to better understand how they can improve their security.

For more information about our PCI compliance solutions or a free quote, please contact [email protected] or call 305.447-6750.

Get a curated briefing of the week's biggest cyber news every Friday.

Stop Phishing Attacks with ERMProtect's Security Awareness Training

Turn your employees into a human firewall with our innovative Security Awareness Training.

Our e-learning modules take the boring out of security training.

Intelligence and Insights

NIST Cybersecurity Framework

Complete Guide to the NIST Cybersecurity Framework 2.0

In this comprehensive guide, we explain in simple terms every aspect of complying with the NIST Cybersecurity Framework 2.0 …
Musings From a Pen Tester’s Diary

Musings From a Penetration Tester’s Diary – Part 2

We asked Akash to take a trip down memory lane and discuss some of his more interesting intrusion cases. This is Part 2 of “Musings from Pen Tester’s Diary.” …
Musings From a Pen Tester’s Diary

Musings From a Penetration Tester’s Diary – Part 1

Ever want to peek inside the mind of an ethical hacker? Akash Desai, our Director of IT Consulting for 18 years, is sharing his diary of experiences “hacking” banks, factories, fire departments, airports, etc …