The 12 PCI Compliance Requirements + How to Comply 

The 12 PCI Compliance Requirements + How to Comply 

  • May 31, 2022

Becoming PCI compliant is a major undertaking for a business of any size. 

The PCI DSS standard involves 300+ security controls and 12 security requirements that range from proper network security to encryption standards to protect cardholder data. 

With digital payment value continuing to rise year over year, ensuring you’re able to process these payments by complying with the PCI DSS standard is crucial for any business. 

Below, we break down the essence of all 12 PCI compliance requirements in a quick and easy guide.

What is PCI DSS compliance?

The PCI DSS standard sets security guidelines for businesses that store, process, and transmit cardholder data. PCI compliance is necessary for any merchant or service provider that deals with card transactions and cardholder data. 

PCI compliance boils down to meeting all 12 PCI DSS requirements. These range from installing network security measures to restricting user access to cardholder data. 

These 12 requirements map to six major principles of PCI compliance, which are:

  1. Build and maintain a secure network and systems
  2. Protect cardholder data
  3. Maintain a vulnerability management program
  4. Implement strong access control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy

If all of these conditions are met, then the payment card transaction environment (and the company itself) is considered PCI compliant.

ebook-logo

The Ultimate Guide to PCI DSS

Learn everything you need to know about the requirements, process, and costs of getting PCI certified. 

Download ebook

The 12 PCI DSS requirements

The PCI DSS requirements strengthen both the cardholder data environment (CDE) and a business’s overall security posture

PCI requirements list:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Use and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need-to-know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

It’s also important to note that the PCI DSS standard has undergone updates as technology and threats have evolved. 

In 2022, the PCI governing body announced the next version of PCI DSS, v4.0, to go into effect after March 31, 2025. PCI DSS v4.0 introduces both new requirements and a variety of changes to current ones. 

PCI requirements overview

You can think of the 12 requirements of PCI DSS as a sort of roadmap that details all of the policy, procedure, and implementation requirements that must be in place to achieve compliance. 

Below, we break down the purpose of each of the 12 requirements.

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Today, many transactions happen virtually through computers connected by networks. Without proper security, unauthorized users can gain access to payment system networks. 

Requirement 1 addresses this issue by requiring businesses to maintain a secure network with firewalls. 

Firewalls control the traffic coming in and out of your network and filter out unauthorized access to your data, making sure that cardholder data is only shared with trusted connections. 

To comply with this requirement, businesses need to install and configure firewalls and create rules to determine what type of traffic is allowed onto the network. The standard also requires businesses to review configuration rules every six months. 

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Oftentimes, merchants do not change the default passwords and settings within their cardholder data environment (CDE). 

Default passwords and settings for most network devices are often widely known, making it easy for hackers to gain access to your internal network. PCI DSS requires businesses to avoid using default passwords and to change passwords before installing a system on your network. 

Requirement 3: Protect stored cardholder data

This requirement outlines specific steps businesses must take to protect stored cardholder data — whether it’s printed, stored locally, or transmitted. 

Cardholder data refers to any information contained on a payment card, such as PINs, personal customer information, and card information. 

PCI DSS outlines what you can and cannot store when it comes to cardholder data.

Can store:

  • Personal account numbers (PAN)
  • Cardholder names
  • Expiration dates

Cannot store:

  • Magnetic stripe data
  • PINs
  • Service codes (the three- or four-digit numbers on cards)

The requirement also specifies that businesses should only store card data that is necessary to meet business needs. Any data that you do store should be encrypted using industry-accepted encryption practices like the Advanced Encryption Standard, also known as AES.

Requirement 4: Encrypt transmission of cardholder data across open, public networks

This requirement is about protecting cardholder data when it’s being transmitted across open, public networks, such as the internet, wireless technologies, cellular technologies, General Packet Radio Service (GPRS), and satellite communications. 

When cardholder data must be shared over open, public networks, businesses should use strong encryption technology to mask the data from unauthorized users. 

PCI DSS also states that businesses should never send unprotected PAN through end-user messaging, such as email, instant message, SMS, and chat.

Requirement 5: Use and regularly update anti-virus software or programs

Malicious software, or malware, can enter a network through email or other online activities. To protect cardholder data against such threats, anti-virus software must be installed and regularly updated.  

Requirement 5 outlines specific steps businesses must take to protect against malware, including:

  • Install anti-virus software on all systems commonly affected by malware
  • Ensure anti-virus software performs period scans and generates audit logs
  • Ensure anti-virus software cannot be altered or disabled by users 

Requirement 6: Develop and maintain secure systems and applications

The purpose of Requirement 6 is to ensure you have a process in place to manage the software within your CDE. This requirement includes all applications within your environment, not just the ones you purchase or develop internally. 

PCI DSS requires businesses to install security patches in a timely manner to protect cardholder data. It also describes software development best practices to prevent vulnerabilities.

Requirement 7: Restrict access to cardholder data by business need-to-know

Access controls allow a business to determine which users are authorized to access cardholder data. As a general rule of thumb, PCI DSS prescribes that authorization should be granted on a need-to-know basis. 

Requirement 7 states that a business should restrict access to cardholder data only to employees who need the information to perform their job. 

Requirement 8: Assign a unique ID to each person with computer access

PCI DSS also requires businesses to assign a unique ID to each employee with access to system components. This allows the business to keep a history of which users have accessed various aspects of cardholder data in the event of a data breach. 

Requirement 8 also requires multi-factor authentication and password encryption to further protect user accounts.

Requirement 9: Restrict physical access to cardholder data

The purpose of this requirement is to limit the physical access to cardholder data to on-site personnel that need the information to do their job. PCI DSS also asks businesses to clearly distinguish on-site personnel from visitors, such as with ID badges. 

Requirement 9 also outlines steps businesses must take to secure media, which is any paper and electronic media containing cardholder data. This includes storing media back-ups in a safe, off-site location and destroying media when it is no longer needed. 

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 10 focuses on log generation and being able to track actions back to an individual account. This helps a business quickly identify the source of a vulnerability or attack when something goes wrong. 

Businesses are required to implement automated audit trails that link all system component access to each individual user. They must also secure audit trails so they’re unable to be altered.

Requirement 11: Regularly test security systems and processes

The purpose of Requirement 11 is to maintain the ongoing security of internal and external systems and processes through regular testing. 

These tests include quarterly network vulnerability scans and annual penetration testing. Network intrusion detection techniques must also be deployed to detect and prevent network intrusions.

Requirement 12: Maintain a policy that addresses information security for employees and contractors

The final requirement of PCI DSS requires businesses to create and maintain an information security policy that will influence security practices across the entire organization. 

This requirement also requires businesses to: 

  • Develop a security awareness program
  • Conduct background checks on potential hires 
  • Implement an incident response plan
  • Conduct an annual risk assessment program
  • Create a technology usage policy 
  • Define employee information security responsibilities  
  • Assign specific responsibilities for protecting cardholder data

How Secureframe can help you meet PCI compliance requirements

Not sure where your business stands when it comes to PCI compliance?

Secureframe can help gauge whether you’re ready for the audit process with our PCI readiness assessment. 

Our experts can help you proactively assess your cardholder data environment to see if you’re ready for a PCI audit or if you need to address non-conformities first.  

Request a demo today to get started on your PCI compliance journey.