The 12 Requirements of the PCI DSS
This page outlines the Payment Card Industry Data Security Standard’s 12 requirements and explains how to achieve and maintain compliance with each of them. The requirements apply to “all system components included in or connected to the cardholder data environment” – i.e. the “people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data”. Note that not all companies need to comply with all 12 requirements: compliance requirements depend on the type and volume of transactions your organisation undertakes, and will be dictated by your acquiring bank.
Compliance with the PCI DSS might seem onerous but it is not solely a matter of legal obligation – its requirements offer strong data security measures that will benefit your organisation. Indeed, the Verizon 2015 PCI Compliance Report found a strong correlation between non-compliance with the PCI DSS and the likelihood of suffering a data breach.
See our main PCI DSS information page for further guidance >>
The 12 requirements of the PCI DSS
The use of logging mechanisms is critical in preventing, detecting and minimising the impact of data compromise. If system usage is not logged, potential breaches cannot be identified. Secure, controlled audit trails must therefore be implemented that link all access to system components with individual users and log their actions. This includes access to cardholder data, actions taken by individuals with root or administrative privileges, access to audit trails, invalid logical access attempts, use of and changes to identification and authentication mechanisms, the initialising, stopping or pausing of audit logs, and the creation and deletion of system-level objects. An audit trail history should be retained for at least a year, with a minimum of three months’ logs immediately available for analysis. Logs and security events should be regularly reviewed to identify anomalous or suspicious activity.
Discover our range of best selling PCI DSS products and services
IT Governance provides services to support you at each stage of your organisation’s PCI DSS compliance project. Whether you need to conduct a gap analysis, reduce the scope of your cardholder data environment, conduct a risk assessment or test the security of your systems and processes, we can help. View our range of best selling products and services below.
Speak to an expert
For more information about the PCI DSS and what your organisation needs for compliance, please get in touch with one of our experts, who will be able to advise you further.