What Are The 12 PCI DSS Requirements?

PCI DSS Requirements

In order to handle cardholder data, businesses must comply with the Payment Card Industry Data Security Standard (PCI DSS), regardless of their size. Compliance with this standard must be maintained at all times and validated annually. Credit card companies typically mandate compliance with PCI DSS and include it in their network agreements.

It is presented as the minimum criteria that all merchants should strive to achieve to avoid data breaches. For those who provide PCI solutions to merchants, products must be compliant, which means they have to meet the 12 requirements.

In this blog, you will learn what the 12 requirements are of PCI DSS, what they involve and how you can maintain them. 

The Data Security Standard

Before we delve into the 12 PCI DSS requirements, it's first necessary to understand the 6 overarching principles behind them. 

  1. Establish and sustain a secure network infrastructure.
  2. Safeguard cardholder data against potential theft or compromise.
  3. Implement a vulnerability management program to detect and address security loopholes.
  4. Deploy robust access control measures to ensure authorised access only.
  5. Conduct regular monitoring and testing of networks for potential vulnerabilities.
  6. Establish and maintain an information security policy to guide organisational practices.

If all of these principles are met, then the payment card transaction environment that it happens in is compliant. 

PCI DSS Requirements

The operational and technical requirements mandated by the PCI SSC are primarily designed to safeguard cardholder data consistently and comprehensively. These rules serve as a core focus for all stakeholders involved in the payment card industry.

The 12 PCI DSS Requirements are: 

  1. Establish and maintain a firewall configuration to safeguard cardholder data from unauthorised access.
  2. Do not use default passwords or other security parameters vendors provide for system access control.
  3. Protect stored cardholder data by implementing appropriate security measures.
  4. Encrypt transmission of cardholder data when transmitted on public networks.
  5. Use anti-virus software that is regularly updated to prevent potential threats.
  6. Develop and maintain secure systems and applications to protect cardholder data.
  7. Restrict access to cardholder data by allowing access only on a need-to-know basis.
  8. Assign a unique identification to individuals with computer access to track system use.
  9. Restrict physical access to cardholder data storage areas to prevent unauthorised access.
  10. Monitor and track all access to network resources and cardholder data.
  11. Regularly test security systems and processes for potential vulnerabilities.
  12. Maintain an information security policy applicable to all personnel.

Once all of these 12 PCI DSS requirements are met, you can take payments over the phone and online.

PCI DSS Requirement 1: Robust Firewall Configuration

A firewall is a control method that acts as a shield around your company network to prevent the "wrong" people from accessing your data. You can also create firewalls within your network to protect sensitive and confidential data from being seen by everyone in the company giving limited access to specific individuals. This means not all employees can access card information, adding another layer of security to your business. 

In order to make a firewall more efficient, it should be monitored for traffic and review router configurations every six months and reconfigure them if necessary. 

PCI DSS Requirement 2: Avoid Default Passwords

When operating systems, servers, firewalls, and other elements of your infrastructures arrive with factory-set defaults for usernames and passwords. Changing them as quickly as possible is essential as soon as they are received, as these passwords are usually easy to guess and can be shared on the internet. 

In addition, users who create accounts to access applications should not accept a default password. This is because a skilled hacker or cyber criminal can tread through common default passwords and will try their luck to gain access to employee or customer records. PCI DSS suggests you disable all unnecessary default accounts before installing them on the network to avoid this complication altogether.

PCI DSS Requirement 3: Saftey Measures For Stored Card Data   

This requirement states that, unless necessary for business function, cardholder data should be kept from being stored anywhere. If the data has to be stored, it is important to follow steps to minimise the risks of exposure. 

First, reduce the time to minimise the time the data is held and purge it periodically. Also, ensure that all authentication information is unreadable by rendering through encryption to hide the numbers, with only the first or last 4 numbers being shown. If you have to retain data, the last mandatory task is to ensure all the cryptographic keys and encryption tools are documented, recorded and protected.

PCI DSS Requirement 4: Ensure Public Networks Have Encryption

While a firewall is excellent at keeping cybercriminals out of your internal networks, it can be more of a challenge to ensure that cardholder data is not intercepted while being transmitted across open public networks. 

PCI enforces that merchants use encryption tools to ensure the data is unreadable throughout the transaction. The encryption allows for data to be protected before a hacker has a chance to decipher it. 

PCI DSS Requirement 5: Anti Virus Software Enabled 

Within this requirement, it states that it is necessary to have anti-virus software installed on all systems that malware attacks might impact. This includes all hardware that is located on-site and within the cloud.

It is also essential to update the anti-virus software and set periodic scans of your systems to ensure no breaches are lurking. 

PCI DSS Requirement 6: Maintain Secure Systems

Requirement 6 of PCI DSS, lays out a comprehensive risk management framework that includes identifying vulnerabilities, implementing security patches, prioritising risks, and following a specific order of security measures. This requirement mandates that every stage of the software development process, from coding and patching to addressing vulnerabilities, must incorporate strict security measures to ensure the safety of customer data.

PCI DSS Requirement 7: Restrict Access

Only people who need to know cardholder data for business operations should have access to that data, and others should be restricted. This should be defined from the start, and access controls should be implemented if a user is terminated, leaves the company or changes roles.

PCI DSS Requirement 8: ID To Track Usage

All users with permission to access and handle cardholder data must be identifiable on the system so their activities can be traced, tracked and monitored. When given their unique ID, they must also have a strong password. Authentication tools must also be used to increase the security of this password.

PCI DSS Requirement 9: Restrict Physical Access 

Requirement 9 discusses how the environment that the card payments are accepted and where the card data is transmitted and stored should be maintained. In line with the security restrictions, PCI DSS requirements 7 and  8 should also be taken into consideration here.

Where the employees who handle the sensitive card information are located within the building is important. These should be restricted zones along with with all the documentation. If electronic data, this must be rendered to be unreadable.

PCI DSS Requirement 10: Monitor And Track

Provide guidelines for logging, tracking and monitoring all user activities. It acts to make you create an audit log and audit trails to spot if there is unusual activity happening which could be because of a hacker trying to infiltrate the system. Audit logs or trails should include user id, date and time and should be reviewed by administrators with a high level of permission.

The requirement also states that these audits must be kept for a least a year with 3 months of data so that it can be accessible for review. This ensures that errors can be spotted before data is breached.

PCI DSS Requirement 11: Regularly Test Systems 

Requriment 11 discusses the need to run vulnerability scans and penetration tests. With the introduction of new software and malware attacks, there can be an increase in unknown vulnerabilities, and by running these scans, loopholes can be identified. This links to the PCI DSS requirements 5 and 6, which help maintain secure systems. 

PCI DSS Requirement 12: Maintain An Information Policy 

This aligns PCI DSS with IT governance. It covers employee training, risk reduction and creating a solid security policy to scope across the whole of your organisation. These should adhere to other risks, governance and cybersecurity frameworks. The policy should then be shared across your company so everyone is aware of them. It is also essential to perform regular risk assessments and introduce controls.

To be compliant, is is important that all of these PCI DSS requirements are met; otherwise, even if one is missing, you can not be fully secure when taking payments over the phone or online.

If you need to become PCI Compliant, please do not hesitate to contact the Silver Lining team to ensure your customers have peace of mind when they make a purchase with you. To find out more, please click the link below to our PCI solutions page, where we can hit all of the PCI DSS requirements for you. Call us on 0345 313 111or email us at info@silver-lining.com


Protect Sensitive Data with Our Reliable PCI Compliance Solutions.

Our innovative process works seamlessly, with no need to pause, suppress, or manipulate voice recordings, keeping call conversations uninterrupted.
Learn More
© Silver Lining Convergence Ltd
Registered Company Number: 06212357
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram