This website uses cookies. View our cookie policy

The 12 Requirements of the PCI DSS

Compliance with the PCI DSS (Payment Card Industry Data Security Standard) might seem onerous, with its 12 requirements applying to all system components included in or connected to the cardholder data environment, i.e. the people, processes and technologies that store, process or transmit cardholder data or sensitive authentication data. However, not all organisations have to comply with all 12 requirements – this will be dictated by your acquiring bank according to the volume and type of transactions you handle. Moreover, PCI DSS compliance offers strong data security measures, as supported by the findings of the Verizon 2015 PCI Compliance Report  which revealed a strong correlation between non-PCI DSS compliance and the likelihood of suffering a data breach.

See our main PCI DSS information page for further guidance >>

Latest changes introduced by version 3.2

To review changes to the individual requirements introduced by PCI DSS version 3.2, please review the standard.

The 12 requirements of the PCI DSS are:

Build and maintain a secure network and systems

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Click here to expand.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Click here to expand.

Protect cardholder data

Requirement 3: Protect stored cardholder data
Click here to expand.

Requirement 4: Encrypt transmission of cardholder data across open, public networks
Click here to expand.

Version 3.1 has removed SSL as an example of a secure technology.

Maintain a vulnerability management program

Requirement 5: Protect all systems against malware and regularly update antivirus software or programs
Click here to expand.

Requirement 6: Develop and maintain secure systems and applications
Click here to expand.

Implement strong access control measures
Requirement 7: Restrict access to cardholder data by business need to know
Click here to expand.

Requirement 8: Identify and authenticate access to system components
Click here to expand.

Requirement 9: Restrict physical access to cardholder data
Click here to expand.

Regularly monitor and test networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Click here to expand.

Requirement 11: Regularly test security systems and processes
Click here to expand.

Maintain an information security policy

Requirement 12: Maintain a policy that addresses information security for all personnel
Click here to expand.

PCI DSS solutions

IT Governance sources, publishes and distributes the world’s best selection of PCI DSS resources, and provides a wide range of services to help you meet your PCI DSS obligations.

Speak to an expert

For more information about the PCI DSS and what your organisation needs for compliance, please get in touch with one of our experts, who will be able to advise you further.