PCI DSS requirements - high-level overview

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). Below is a high-level overview of the 12 PCI DSS requirements.

Note: These requirements are defined by the Payment Card Industry (PCI) Security Standards Council as part of the PCI Data Security Standard (DSS) Version 3.2. Please refer to the PCI DSS for information on testing procedures and guidance for each requirement.

Build and Maintain a Secure
Network and Systems
1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability
Management Program
5. Protect all systems against malware and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications
Implement Strong Access
Control Measures
7. Restrict access to cardholder data by business need to know

8. Identify and authenticate access to system components

9. Restrict physical access to cardholder data
Regularly Monitor and
Test Networks
10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes
Maintain an Information
Security Policy
12. Maintain a policy that addresses information security for all personnel