Any merchant or service provider that stores, processes, or transmits cardholder data is required to comply with the PCI DSS (Payment Card Industry Data Security Standard). The Standard has 12 requirements organized into 6 control objectives related to cardholder data storage, transmission, and processing.
This page outlines the Payment Card Industry Data Security Standard’s 12 requirements and explains how to achieve and maintain compliance with each of them. The requirements apply to all people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data in, or that are connected to, the cardholder data environment.
Speak to a PCI DSS expert
Want to know more about the PCI DSS compliance requirements? Request a call back using the form below and our experts will be in touch with practical advice.
Contact us
PCI DSS 12 requirements
Version 3.2.1 of the PCI DSS specifies 12 requirements, organized into six control objectives:
PCI DSS requirement 1 states that organizations must install and maintain a firewall configuration to protect cardholder data.
Firewall configurations must be designed to protect the cardholder data environment from unauthorized access, both inbound and outbound.
Organizations must also ensure that the firewall configuration is reviewed and updated regularly, as necessary, to include any new security patches or updated security configurations.
PCI DSS requirement 2 requires organizations to not use vendor-supplied defaults for system passwords and other security parameters.
Organizations must create their own unique passwords and other security parameters and not use defaults supplied by the vendor.
This requirement is intended to ensure that organizations know and can control the level of access to their environment. Organizations must also update these passwords and security parameters on a regular basis.
Organizations must protect cardholder data with encryption, passwords, and physical security measures, restricting access to only those personnel who need it for their job duties.
Organizations must also regularly monitor and test the security of any systems that store, process, or transmit cardholder data.
PCI DSS requirement 4 states that all cardholder data must be encrypted when transmitted across open, public networks. This includes using secure encryption protocols such as SSL/TLS or IPsec to protect cardholder data as it is being sent from one point to another.
This requirement is intended to ensure that cardholder data is not disclosed to unauthorized third parties when it is being moved from one system to another.
PCI DSS requirement 5 states that organizations must protect all systems against malware and regularly update antivirus software or programs.
This includes implementing antivirus software on all systems commonly affected by malware, as well as regularly updating the software and running regular scans.
Organizations must also develop and implement procedures to prevent and detect malicious software on all systems.
PCI DSS requirement 6 is designed to ensure that organizations have secure systems and applications in place to protect cardholder data. It requires that organizations implement strong security measures in the development, maintenance, and monitoring of all applications.
Organizations must ensure that all systems and applications are securely configured to protect cardholder data and be patched and updated regularly. In addition, organizations must ensure that all vulnerabilities are addressed and that any third-party security assessments are conducted regularly.
PCI DSS requirement 7 states that organizations must restrict access to cardholder data to only those individuals who need it to perform their job duties. This means that access to cardholder data should be based on the principle of least privilege, and that access should be granted only after proper authorization.
Organizations should regularly review access rights to ensure that access is only granted to those who need it. All access should be documented and monitored.
PCI DSS requirement 8 states that organizations must identify and authenticate access to system components. This means that they must ensure that only authorized users have access to cardholder data, and that only authorized personnel are allowed to make changes to or access systems.
Organizations must also use strong authentication mechanisms such as passwords, digital certificates, biometrics, or token-based authentication. Access to cardholder data must be limited to only those who need it to perform their duties.
PCI DSS requirement 9 mandates organizations to restrict physical access to cardholder data by implementing physical security measures to protect systems that store cardholder data. This includes limiting access to authorized personnel, and using locks, alarms, and other physical security measures.
Organizations must regularly monitor and test physical security measures and monitor and escort visitors to their premises.
PCI DSS requirement 10 states that organizations must track and monitor all access to network resources and cardholder data. This includes tracking the user identity, type of access, and date and time of access.
Organizations must also create audit logs that record all system activities related to the processing, storage, and transmission of cardholder data. The audit logs must be reviewed and monitored regularly, and kept for a minimum of one year. Any exceptions or suspected data breaches must be promptly investigated.
PCI DSS requirement 11 states that organizations must periodically test their security systems and processes for vulnerabilities and security issues, and assess staff's ability to detect and respond to security incidents.
Additionally, organizations should conduct penetration tests, external and internal vulnerability scans, and other security-related tests to help identify any risks or weaknesses in their system.
PCI DSS requirement 12 mandates organizations to maintain a policy that addresses information security for all personnel. The policy must include topics such as the proper use of networks, systems, and applications, information security incident response procedures, and acceptable use of software and hardware.
It should also include procedures for effective monitoring and reporting of information security incidents, and outline the roles and responsibilities of personnel in relation to information security.
Discover our range of bestselling PCI DSS products and services
Version 4 of the PCI DSS was released in March 2022. Merchants and service providers have a two-year transition period to update their security controls to conform to the new version.
Version 3.2.1 will be retired on 31 March 2024.
Like version 3.2.1, PCI DSS v4.0 also specifies 12 requirements, organized into six control objectives.
- Requirement 1: Install and Maintain Network Security Controls
- Requirement 2: Apply Secure Configurations to All system Components
- Requirement 3: Protect Stored Account Data
- Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
- Requirement 5: Protect All Systems and Networks from Malicious Software
- Requirement 6: Develop and Maintain Secure Systems and Software
- Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know
- Requirement 8: Identify Users and Authenticate Access to system Components
- Requirement 9: Restrict Physical Access to Cardholder Data
- Requirement 10: Log and Monitor All Access to System Components and Cardholder Data
- Requirement 11: Test Security of systems and Networks Regularly
- Requirement 12: Support Information Security with Organizational Policies and Programs
The version 4.0 requirements differ only slightly from those in version 3.2.1, but thanks to the new ‘customized approach’, covered entities will have greater flexibility in how they meet them.
Read the full text of PCI DSS v4.0 on the PCI Security Standards Council website.
Discover our range of best-selling PCI DSS products and services
IT Governance USA provides everything you need to meet your PCI compliance requirements. We can help with a gap analysis, reducing the scope of the cardholder data environment, risk assessment, and testing security of systems and processes for vulnerabilities.
View our range of best-selling products and services to find out more about what we can do.
Speak to an expert
For more information about the PCI DSS and what your organization needs for compliance, please get in touch with one of our experts, who will be able to advise you further.