12 Requirements of PCI DSS

Published on : 22 Mar 2022

12 Requirements Of PCI DSS

The Payment Card Industry Security Standard Council (PCI SSC) for the benefit of customers, cardholders, and other stakeholders of the industry established a stringent payment card security standard known as PCI DSS. Payment Card Industry Data Security Standard is a framework designed and developed to protect sensitive card data in the environment. The payment security standard is a comprehensive framework that outlines 12 requirements that organizations are expected to meet to ensure compliance. Explaining the 12 PCI Compliance requirements in detail we have elaborated what is expected from an organization when implementing each requirement.

What are the 12 requirements of PCI DSS?

The 12 requirements outlined by the PCI Council for PCI DSS Compliance comprises technical and operational security measures that need to be implemented within the card environment. That said, it is important to note and understand that the primary focus of these PCI DSS 12 requirements is protecting sensitive card data. For organizations to implement these requirements it is essential that they first understand each of these requirements and know the purpose of implementing these security measures. So, read the explanation below to get a better perspective and understanding of the payment security standard.

PCI DSS Requirement 1

Install and Maintain a Firewall Configuration to Protect Cardholder Data

PCI DSS Compliance Requirements 1 is all about protecting systems and networks against external threats by installing firewalls. The requirement outlined is to ensure that service providers and merchants maintain a secure network with updated and well configure firewalls and routers in place. Firewalls are applications that constantly monitor online traffic and restrict incoming and outgoing traffic based on the rules set and configured by the organization.

The rules and criteria’s configured in the firewall systems accordingly restrict access to the critical network comprising the card data in the environment.  Firewalls are primarily installed to protect the network comprising of sensitive card data or connect to systems comprising sensitive card data. So, organizations must accordingly define and establish standard rules and criteria for firewalls and routers to allow or deny access to the network. These rules need to be aligned with the PCI DSS requirements to ensure the protection of card data. Further, these rules should be reviewed every 6 months to stay updated with the changing requirements of the industry.

Also Read: PCI DSS Firewall Requirement Infographic

PCI DSS Requirement 2

Do Not Use Vendor Supplied Defaults for Systems and Passwords and Other Security Parameters

PCI DSS Compliance Requirements 2 is all about ensuring the organization’s systems, network, applications devices, and all access points are well secured using strong security parameters and passwords.  Systems, devices, and applications often come with factory default settings including usernames and passwords. These default settings and insecure configuration can be a huge threat to the card data environment for they can be easily hacked as these passwords are simple to guess, and more than often even published online.

PCI DSS requirement prohibits the use of default passwords and other security parameters. Further, as per Requirement 2 of PCI DSS organizations are also required to maintain an inventory of all the system configurations, passwords, and hardening procedures that ensure implementation of the security requirement. System configuration procedures and processes should be well defined, documented, and followed each time a new system is introduced in the environment.

PCI DSS Requirement 3

Protect Stored Cardholder Data

PCI DSS Requirement 3 is the most critical and essential requirement of the PCI Compliance standard. The requirement focuses on securing sensitive card data like the PAN number (Primary Account Number) and SAD (Sensitive Authentication Data) against authorized access. The PCI Compliance requirement 3 also outlines rules concerning the display of PAN numbers which should be only the first six and last four digits of the entire PAN number.

As per the requirement, organizations need to identify, classify and locate the data stored in the environment and thereafter adopt techniques of encryption, tokenization, and truncation to secure the stored cardholder data. The PCI DSS encryption requirement also states the need for organizations to maintain the encryption key management process. Overall the requirement focuses on securing the stored card data in the environment.

PCI DSS Requirement 4

Encrypt Transmission of Cardholder Data across Open & Public Network

In elaboration and extension to the PCI Compliance Requirement 3, the PCI DSS Requirement 4 states the need to secure card data in transition over an open or public network. The PCI DSS requirement 4 outlines the need to encrypt data transmitted across public networks. This can prevent incidents of breach, unauthorized access to sensitive data transferred over the open network. It also prevents the possibility of data getting compromised when the data is secured as per the PCI DSS encryption requirement. The technique of cryptography for the secure transmission of data goes a long way in protecting card data.

PCI DSS Requirement 5

Use and Regularly Update Antivirus Software or Programs

PCI Compliance Requirement 5 focuses on securing the card data environment against malware. Organizations are expected to install antivirus software on all systems including laptops, desktops, tablets, and mobile devices that are used to access sensitive card data. Anti-virus applications and software are designed to protect systems from viruses, Trojan horses malware. So, PCI DSS Requirement 5 needs the systems, and devices in the Card data environment to be protected with the latest antivirus software. Further, the installed anti-virus programs should be regularly updated to ensure there is constant monitoring and detection of malware. Systems should also be well configured for updates and alerts to report suspicious or abnormal activity including unauthorized access attempts.

PCI DSS Requirement 6

Develop and Maintain Secure Systems and Applications

PCI DSS Requirement 6 focuses on protecting systems and applications by identifying vulnerabilities. For this organizations are expected to define and implement policies, procedures, and processes that facilitate the identification of vulnerabilities and classify the severity of risk posed to the card data environment.

Organizations must also ensure the deployment of critical patches in all systems in the card data environment, including operating systems, firewalls, routers, applications, and POS terminals to name a few.

The PCI requirement deals with the deployment of secure applications and systems and appropriate management of security patches, system and application configurations to prevent misuse or compromise of cardholder data. It also includes addressing common coding vulnerabilities in the software development process. The PCI DSS Requirement 6 also mandates the need to document all systems and application controls including defined roles responsibilities, policies, procedures, and testing processes relating to securing systems and applications.

Free Consulting

PCI DSS Requirement 7

Restrict Access to Cardholder Data by Business Need to Know

PCI DSS Requirement 7 expects organizations to implement access control measures to ensure that the access to data is restricted to only authorized individuals, based on business requirements. The requirement focuses on establishing role-based access controls to facilitate access to card data on a need-to-know basis. For this organizations need to define roles and responsibilities and develop policies and procedures to implement appropriate access control measures.

Further, organizations must also ensure that the security policies and operational procedures for restricted access to cardholder data are documented. The document should comprise the list of users, their roles, and responsibilities for access to the card data environment. The restricted access to cardholder data will prevent threats of comprise, theft, and data breach in the organization.

PCI DSS Requirement 8

Identify and Authenticate Access to System Components

As per the PCI DSS Requirement 8 organizations are expected to assign unique IDs for every authorized individual to access the card data environment. This way organizations can monitor activities around the use of card data and bring in transparency and accountability in the data processing. Requirement 8 includes

Identification and authentication for all users to access system components including third-party vendors. The requirement further states the need to develop, implement and document policies and procedures that ensure appropriate access management including policies to revoke access granted to users terminated or transferred off their roles and responsibilities. It also requires establishing security measures for system components and remote access to card data which includes using techniques of cryptography, 2-factor authentications, and strong password securities.

PCI DSS Requirement 9

Restrict Physical Access to Cardholder Data

The PCI DSS 9 requirement focuses on protecting physical access to systems comprising of cardholder data within the cardholder data environment. This would mean appointing onsite security personnel, maintaining access logs, CCTV devices for constant monitoring of entry and exit doors to the sensitive data center. The physical access records should be documented, maintained, and retained for a period of 90 days.

Organizations are expected to have in place policies, procedures processes are in place that ensures security measures are implemented. Organizations are also expected to maintain a separate policy and process distinguishing staff and visitors’ onsite accessing card data for easy tracking and monitoring process. Implementing strong security measures is essential to prevent unauthorized access that may further result in theft, compromise, or destruction of critical systems and cardholder data.

PCI DSS Requirement 10

Track and Monitor Access to Network Resources and Cardholder Data

PCI DSS Requirement 10 focuses on securing the network connecting to the cardholder data environment. For this organizations are expected to maintain a detailed audit trail associated with accessing system components with individual users. The requirement covers securing, tracking, and monitoring all user activities to network resources and the cardholder data. This is to identify anomalies, suspicious activities, and vulnerabilities in networks connecting to card data.

There must also be systems, processes, and procedures in place to monitor logs and alert suspicious activity. Organizations are also expected to maintain access logs and review them periodically for constant monitoring and future plan of action. PCI Compliance requires that the audit trail records meet certain standards in terms of the information contained including logging, audit functions, and data all of which must also be maintained for a period of not less than a year.

Tracking monitoring of network and system access significantly prevents data breaches and minimizes the exposure of risk to data. Without the audit trails and logging functionality determining the vulnerabilities and potential cause of the breach is impossible.

PCI DSS Requirement 11

Regularly Test Security Systems and Processes

PCI DSS Requirement 11 requires organizations to regularly test, review and update their security systems and processes in place.  The testing of the implementation of all the security controls is to validate the effectiveness and identify any shortcomings in the systems and processes before it is identified by an attacker. So, conducting internal and external network vulnerability scans, performing quarterly Approved Scanning Vendor by PCI SSC, Application and Network Penetrations tests, Vulnerability scans at least yearly or after any significant change is crucial and essential as per the PCI Compliance requirement.

A segmented network that isolates the CDE from other networks must also be scanned and tested by performing Penetration Tests to verify that segmentation is effective. Organizations are also expected to implement Intrusion Detection & Intrusion Prevention systems to monitor network traffic and identify suspicious traffic that could compromise security.

File monitoring is another important aspect of the PCI DSS requirement wherein the files should be reviewed every week to detect any changes that may have gone unnoticed. The test conducted is designed to validate all security controls and other technical aspects of an environment including the servers, networks, applications, processes, etc. This is to simply identify issues and addressed them in a timely manner before the vulnerabilities are exploited by malicious hackers.

PCI DSS Requirement 12

Maintain a Policy that Addresses Information Security for All Personnel

The Requirement 12 of PCI DSS is largely dedicated to establishing a strong Information Security Policy for all employees and other relevant parties. The PCI Requirement states the need for policies to be developed and made available to all employees, vendors, and contractors. Thereafter they should document an acknowledgment of reading the policy and being aware of their roles and responsibilities.

Organizations are expected to ensure that all the employees and vendors dealing with the cardholder data and having access to the cardholder data environment must be aware of the security policies, processes, and procedures of the organization. This is to ensure that the roles and responsibilities defined are performed in alignment with the requirements of PCI DSS.

The Information Security policy works like a roadmap for implementing security measures and directing employees, vendors, and other stakeholders to secure sensitive data and assets. The PCI requirement also states the need for the policy to be reviewed annually and update the same based on the evolving threat landscape.

Updating of policy is essential to reflect the changes in the environment and new security measures implemented to address the threats. The organization must develop and maintain policies including the Information Security Policy, Usage Policies, and Procedures, documents defining Information Security responsibilities, and other relevant supporting documents. In addition to this, organizations are also expected to conduct Annual Risk Assessments, Security Awareness Program, and Incident Response Plan and document the same for audit purposes.

Final Thought

PCI DSS compliance is a daunting task for organizations to meet, especially when the requirements are so detailed and elaborate.  Even companies having the best of resources and genuine intent falter in the process and find it challenging to constantly maintain the standard.

Despite how difficult it is companies should strive to achieve PCI DSS Compliance by meeting all the 12 requirements outlined by the council. This is to prevent breaches and suffering significant consequences. Understanding each of the requirements and also referring to the compliance checklist shared by us in our blogs, organizations can surely achieve and continue to maintain compliance.

You can also watch  the expert video on PCI DSS Requirements

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.