Knowing whether you need to be compliant with PCI DSS is fairly straightforward. If you’re a merchant or service provider that manages card transactions and cardholder data, PCI DSS most likely applies to you. But knowing exactly what you need to do to be compliant is less straightforward.
PCI DSS outlines 12 requirements for handling cardholder data securely including maintaining a secure network, organized into 6 objectives. You must meet all of these requirements to achieve compliance.
If you’re looking for guidance on how to comply with PCI DSS, keep reading. This article breaks down the essentials of all 12 PCI compliance requirements in a quick and easy guide.
The 6 principles of PCI DSS compliance
These 12 PCI DSS requirements map to six major principles of PCI compliance, which are:
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
If all of these conditions are met, then the cardholder data environment and services included in-scope are consideredPCI compliant.
The 12 PCI DSS requirements
The PCI DSS requirements not only strengthen the cardholder data environment (CDE) but also a business’s overall security posture.
PCI requirements list:
- Install and maintain network security controls
- Apply secure configurations to all system components
- Protect stored account data
- Protect cardholder data with strong cryptography during transmission over open, public networks
- Protect all systems and networks from malicious software
- Develop and maintain secure systems and software
- Restrict access to system components and cardholder data by business need to know
- Identify users and authenticate access to system components
- Restrict physical access to cardholder data
- Log and monitor all access to system components and cardholder data
- Test security of systems and networks regularly
- Support information security with organizational policies and programs
It’s also important to note that the PCI DSS standard has undergone updates as technology and threats have evolved.
In 2022, the PCI governing body announced the next version of PCI DSS, v4.0, to go into effect after March 31, 2025. PCI DSS v4.0 introduces both new requirements and a variety of changes to current ones. Those are reflected below.
Recommended reading
PCI DSS 4.0 Requirements: A Deep Dive into the Latest Changes and How They Affect Your Organization
Read MorePCI requirements overview
You can think of the 12 requirements of PCI DSS as a sort of roadmap that details all of the policy, procedure, and implementation requirements that must be in place to achieve compliance.
Below, we break down the purpose of each of the 12 requirements.
Requirement 1: Install and maintain network security controls
Today, many transactions happen virtually through the internet and ecommerce. Without proper security, unauthorized users can gain access to payment system networks.
Requirement 1 addresses this issue by requiring businesses to maintain a secure network with firewalls.
Firewalls control the traffic coming in and out of your network and filter out unauthorized access to your data, making sure that cardholder data is only shared with trusted connections.
To comply with this requirement, businesses need to install and configure firewalls and create rules to determine what type of traffic is allowed onto the network. Requirement 1 also requires businesses to review configuration rules every six months, including additional network security controls.
Requirement 2: Apply secure configurations to all system components
Oftentimes, network devices and equipment will come pre-configured with default passwords and settings.
Default passwords and settings for most network devices are often widely known, making it easy for hackers to gain access to your devices. PCI DSS requires businesses to avoid using default passwords and to change passwords before installing a system on your network.
Requirement 3: Protect stored account data
This requirement outlines specific steps businesses must take to protect stored cardholder data — whether it’s printed, stored locally, or in a database.
Cardholder data could refer to any information contained on a payment card, such as PINs, PAN data, and sensitive authentication data.
PCI DSS outlines what you can and cannot store after authorization when it comes to cardholder data.
Can store:
- Personal account numbers (PAN)
- Cardholder names
- Expiration dates
Cannot store:
- Magnetic stripe data
- PINs
- CVV
The requirement also specifies that businesses should only store card data that is necessary to meet business needs. Any data that you do store should be encrypted using industry-accepted encryption practices like AES-256 bit encryption.
Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks
This requirement is about protecting cardholder data when it’s being transmitted across open, public networks, such as the internet.
When cardholder data must be shared over open, public networks, businesses should use strong encryption technology to encrypt the data from unauthorized users.
PCI DSS also states that businesses should never send unprotected PAN through end-user messaging, such as email, instant message, SMS, and chat.
Requirement 5: Protect all systems and networks from malicious software
Malicious software, or malware, can enter a network through email, social engineering, malicious file installation, or other online activities. To protect cardholder data against such threats, anti-virus software must be installed and regularly updated.
Requirement 5 outlines specific steps businesses must take to protect against malware, including:
- Install anti-virus software on all systems commonly affected by malware
- Ensure anti-virus software performs period scans and generates audit logs
- Ensure anti-virus software cannot be altered or disabled by users
Requirement 6: Develop and maintain secure systems and software
The purpose of Requirement 6 is to ensure you have a process in place to manage the software within your CDE. This requirement includes all in-scope applications within your environment.
PCI DSS also requires businesses to install security patches in a timely manner to protect cardholder data. The requirement also includes controls for software development best practices to prevent vulnerabilities.
Requirement 7: Restrict access to system components and cardholder data by business need-to-know
Access controls allow a business to determine which users are authorized to access cardholder data or systems that can impact cardholder data. As a general rule of thumb, PCI DSS prescribes that authorization should be granted on a need-to-know basis.
Requirement 7 states that a business should restrict access to cardholder data only to employees who need the information to perform their job.
Requirement 8: Identify users and authenticate access to system components
PCI DSS also requires businesses to assign a unique ID to each employee with access to system components. This allows the business to keep a history of which users have accessed various aspects of cardholder data or related systems in the event of a data breach.
Requirement 8 also requires multi-factor authentication and password encryption to further protect user accounts.
Requirement 9: Restrict physical access to cardholder data
The purpose of this requirement is to limit the physical access to cardholder data or systems that impact cardholder data only to personnel that need access to the systems to perform their job. PCI DSS also requires businesses to clearly distinguish on-site personnel from visitors, such as with ID badges.
Requirement 9 also outlines steps businesses must take to secure media, which is any paper and electronic media containing cardholder data. This includes storing media back-ups in a safe, off-site location and destroying media when it is no longer needed.
Requirement 10: Log and monitor all access to system components and cardholder data
Requirement 10 focuses on log generation and being able to track actions back to an individual account. This helps a business quickly identify the source of a malicious request or attack.
Businesses are required to implement automated audit trails that monitor for specific events and send notifications to personnel for daily review. Businesses must also secure audit trails so they’re unable to be altered.
Requirement 11: Test security of systems and networks regularly
The purpose of Requirement 11 is to maintain the ongoing security of internal and external systems through regular testing.
These tests include quarterly network vulnerability scans and annual penetration testing. Network intrusion detection or intrusion prevention techniques must also be deployed to detect or prevent network intrusions.
Requirement 12: Support information security with organizational policies and programs
The final requirement of PCI DSS requires businesses to create and maintain an information security policy that will influence security practices across the entire organization.
This requirement also requires businesses to:
- Develop a security awareness program
- Conduct background checks on potential hires
- Implement an incident response plan
- Conduct an annual risk assessment program
- Create a technology usage policy
- Define employee information security responsibilities
- Assign specific responsibilities for protecting cardholder data
FAQs
What are the 12 requirements of PCI DSS?
The 12 requirements of PCI DSS are:
- Install and maintain network security controls
- Apply secure configurations to all system components
- Protect stored account data
- Protect cardholder data with strong cryptography during transmission over open, public networks
- Protect all systems and networks from malicious software
- Develop and maintain secure systems and software
- Restrict access to system components and cardholder data by business need to know
- Identify users and authenticate access to system components
- Restrict physical access to cardholder data
- Log and monitor all access to system components and cardholder data
- Test security of systems and networks regularly
- Support information security with organizational policies and programs
What does PCI mean?
PCI stands for Payment Card Industry. This industry is made up of all the various organizations responsible for storing, processing, and transmitting cardholder data, including credit and debit card data.
What is PCI compliance and is it required?
PCI compliance means an organization that falls within the scope of the Payment Card Industry Data Security Standard (PCI DSS) meets the requirements and adheres to applicable security controls for protecting cardholder data. PCI compliance is required for merchants and service providers that store, process, transmit, or could impact the security of cardholder data.