What are the PCI DSS Requirements?

Payment Card Industry Data Security Standard (PCI DSS) is the global industry standard set of policies and procedures intended to enhance data security for all organizations that process, store, or transmit cardholder data. It has been adopted by all the major payment card brands as the standard model of data security. It contains practical steps that mirror security best practices.

The PCI DSS version 3.0 specifies 12 requirements for compliance, organized into six logically related groups, which are called “goals.”

Security Controls and Processes for PCI DSS Requirements

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall and router configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need to know

Requirement 8: Identify and authenticate access to system components

Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security for all personnel