pci requirements, pci dss, pci requirements list, pci dss requirements, pci compliance, pci requirements, dss, pci

The 12 Requirements of the PCI DSS

Following on from our ‘Introduction to PCI DSS’, we are now going to focus on the 12 technical and operational requirements along with the 6 control objectives, which all organisations processing payment cardholder data must comply with.

For each requirement, we will explain what the purpose is and will provide some examples of the controls that you will need in order to meet the requirement.

What are the Control Objectives?

The PCI DSS identifies twelve requirements clustered into six related control objectives that are designed to protect the account data. These control objectives are designed to provide context for each requirement and are as follows:

Maintain a Secure Network and System

Requirement 1 and 2

Protect Cardholder Data

Requirement 3 and 4

Maintain a Vulnerability Management Program

Requirement 5 and 6

pci dss requirements, pci, compliance, dss, Self assessment, pci compliance, what is pci, aoc, pcidss, pci-dss, pci requirements list

Implement Strong Access Control Measures

Requirement 7, 8 and 9

pci dss requirements, pci, compliance, dss, Self assessment, pci compliance, what is pci, aoc, pcidss, pci-dss, pci requirements list

Regularly Monitor and Test Networks

Requirement 10 and 11

pci dss requirements, pci, compliance, dss, Self assessment, pci compliance, what is pci, aoc, pcidss, pci-dss, pci requirements list

Maintain an Information Security Policy

Requirement 12

Requirement 1 – Install and Maintain a Firewall Configuration

Both Requirements 1 and 2 are intended to help you build and maintain a secure network.

Firewalls allow control of network traffic between trusted and untrusted networks and so requirement 1 contains controls for restricting network traffic, something which is at the very core of a secure network. Controls like; justifying your firewall rules, anti-IP spoofing, default deny-all settings, specifically authorising inbound and outbound traffic.

Requirement 2 – Do not use Vendor-Supplied Defaults for System Passwords and Other Security Parameters

In essence, this requirement is all about ensuring that devices other than firewalls are configured securely; devices such as servers, desktops, laptops, mobiles, etc. And the controls are similar to requirement 1 in that they focus on secure configuration standards and only required and secure functionality.

Requirement 3 – Protect Stored Cardholder Data

Requirements 3 and 4 are both included to help protect cardholder data and so Requirement 3 includes a large number of controls on how you should encrypt cardholder data when it is stored. Due to the nature of encryption technology, this is actually a complex requirement and why it starts with the sound advice ‘If you don’t need it, don’t store it’.

Requirement 4 – Encrypt Transmission of Cardholder Data Across Open, Public Networks

This requirement includes controls which are designed to protect the cardholder data while it is being transmitted, including controls such as; ‘always use strong cryptography’, ‘always secure wireless networks’ and ‘restrict the technologies that are used to transmit CHD to a minimum’.

Requirement 5 – Protect all Systems Against Malware and Regularly Update Anti-Virus Software or Programs

Requirements 5 and 6 are designed to help maintain a vulnerability management program.

Requirement 5 is entitled ‘Protect all systems against malware and regularly update anti-virus software’, which doesn’t leave much to the imagination. It includes controls focused on deploying, using, and maintaining anti-malware wherever you can.

Requirement 6 – Develop and Maintain Secure Systems and Applications

This requirement focuses on two areas: patch management and secure software development.

It provides controls on the frequency of patching as well as on developing software securely including for example; using secure coding standards, code reviews, developer training, web-application firewalls and many more.

Requirement 7 – Restrict access to cardholder data by business need to know

Implement Strong Access Control Measures covers requirements 7, 8, and 9.

Requirement 7 is all about the administrative side of access control.  It contains controls around clearly defining who has access to what, using best practice and commonly used principles like ‘need-to-know’ and ‘least privilege’.

Requirement 8 – Identify and Authenticate Access to Systems Components

Requirement 8 focuses on the technical side of access control and includes a large number of controls that are designed to restrict users’ access, such as; password length and complexity, Multi-Factor Authentication, no shared accounts, accountability and traceability of users’ actions.

Requirement 9 – Restrict Physical Access to Cardholder Data

Requirement 9 focuses on restricting physical access to cardholder data, specifying controls such as; facility entry controls, visitor procedures, controlling access to physical media such as USB drives and paper records.

Requirement 10 – Track and Monitor all Access to Network Resources and Cardholder Data

Requirements 10 and 11 are under the ‘regularly monitor and test networks’ control objective.

Requirement 10 is probably the most difficult, as it involves collecting and monitoring logs from all devices in scope. All these logs need to be stored and analysed for security events, which then need to be alerted and followed up with an incident management process.

Requirement 11 – Regularly Test Security Systems and Processes

This requirement is resource-intensive as you are required to perform regular vulnerability scanning and penetration testing, either by qualified in-house staff or external parties. This requirement involves quite a bit of budgeting and planning and includes controls such as IDS or IPS and change detection systems.

Requirement 12 – Maintain a Policy that Addresses Information Security for all Personnel

Requirement 12 is the only one under the final control objective ‘Maintain an information security policy’

It covers all the policy and procedure documentation required including annual risk assessments, security awareness training, 3rd party due diligence, incident response plans.

If you have knowledge of the ISO 27000 series of standards, you will already be familiar with the need for policies and documentation.

More about PCI DSS

Consultancy Services

Auditing Services

About URM

Follow us on