The 12 Requirements of the PCI DSS
This page outlines the Payment Card Industry Data Security Standard’s 12 requirements and explains how to achieve and maintain compliance with each of them. The requirements apply to “all system components included in or connected to the cardholder data environment” – i.e. the “people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data”. Note that not all companies need to comply with all 12 requirements: compliance requirements depend on the type and volume of transactions your organisation undertakes, and will be dictated by your acquiring bank.
Compliance with the PCI DSS might seem onerous but it is not solely a matter of legal obligation – its requirements offer strong data security measures that will benefit your organisation. Indeed, the Verizon 2015 PCI Compliance Report found a strong correlation between non-compliance with the PCI DSS and the likelihood of suffering a data breach.
See our main PCI DSS information page for further guidance >>
The 12 requirements of the PCI DSS
The use of logging mechanisms is critical in preventing, detecting and minimising the impact of data compromise. If system usage is not logged, potential breaches cannot be identified. Secure, controlled audit trails must therefore be implemented that link all access to system components with individual users and log their actions. This includes access to cardholder data, actions taken by individuals with root or administrative privileges, access to audit trails, invalid logical access attempts, use of and changes to identification and authentication mechanisms, the initialising, stopping or pausing of audit logs, and the creation and deletion of system-level objects. An audit trail history should be retained for at least a year, with a minimum of three months’ logs immediately available for analysis. Logs and security events should be regularly reviewed to identify anomalous or suspicious activity.
Download our free PCI DSS webinars
Security technologies can only go so far in protecting an organisation and helping maintain compliance. Policies are needed to address the weak link in security: people.
If people don’t know or understand what’s expected of them, they can put cardholder data at risk, regardless of the other security measures you have in place. Policies play an important role in securing data. They are the foundation for everything else as they provide direction and instruction, and assign responsibility.
Understand how to develop PCI policies, including:
- The differences between a policy, a form and a procedure;
- How to identify which policies and clauses you need to address; and
- How to clearly state the tasks and responsibilities your company has when handling payment card data.
Discover our range of best selling PCI DSS products and services
IT Governance provides services to support you at each stage of your organisation’s PCI DSS compliance project. Whether you need to conduct a gap analysis, reduce the scope of your cardholder data environment, conduct a risk assessment or test the security of your systems and processes, we can help. View our range of best selling products and services below.
Speak to an expert
For more information about the PCI DSS and what your organisation needs for compliance, please get in touch with one of our experts, who will be able to advise you further.