Both Requirements 1 and 2 are intended to help you build and maintain a secure network.

Firewalls allow control of network traffic between trusted and untrusted networks and so requirement 1 contains controls for restricting network traffic, something which is at the very core of a secure network. Controls like; justifying your firewall rules, anti-IP spoofing, default deny-all settings, specifically authorising inbound and outbound traffic.

Requirement 2 – Do not use vendor-supplied defaults for system passwords and other security parameters

In essence, this requirement is all about ensuring that devices other than firewalls are configured securely; devices such as servers, desktops, laptops, mobiles, etc. And the controls are similar to requirement 1 in that they focus on secure configuration standards and only required and secure functionality.

Requirement 3 – Protect stored cardholder data

Requirements 3 and 4 are both included to help protect cardholder data and so Requirement 3 includes a large number of controls on how you should encrypt cardholder data when it is stored. Due to the nature of encryption technology, this is actually a complex requirement and why it starts with the sound advice ‘If you don’t need it, don’t store it’.

Requirement 4 – Encrypt transmission of cardholder data across open, public networks

This requirement includes controls which are designed to protect the cardholder data while it is being transmitted, including controls such as; ‘always use strong cryptography’, ‘always secure wireless networks’ and ‘restrict the technologies that are used to transmit CHD to a minimum’.

Requirement 5 – Protect all systems against malware and regularly update anti-virus software or programs

Requirements 5 and 6 are designed to help maintain a vulnerability management program.

Requirement 5 is entitled ‘Protect all systems against malware and regularly update anti-virus software’, which doesn’t leave much to the imagination. It includes controls focused on deploying, using, and maintaining anti-malware wherever you can.

Requirement 6 – Develop and maintain secure systems and applications

This requirement focuses on two areas: patch management and secure software development.

It provides controls on the frequency of patching as well as on developing software securely including for example; using secure coding standards, code reviews, developer training, web-application firewalls and many more.

Requirement 7 – Restrict access to cardholder data by business need to know

Implement Strong Access Control Measures covers requirements 7, 8, and 9.

Requirement 7 is all about the administrative side of access control.  It contains controls around clearly defining who has access to what, using best practice and commonly used principles like ‘need-to-know’ and ‘least privilege’.

Requirement 8 – Identify and authenticate access to systems components

Requirement 8 focuses on the technical side of access control and includes a large number of controls that are designed to restrict users’ access, such as; password length and complexity, Multi-Factor Authentication, no shared accounts, accountability and traceability of users’ actions.

Requirement 9 – Restrict physical access to cardholder data

Requirement 9 focuses on restricting physical access to cardholder data, specifying controls such as; facility entry controls, visitor procedures, controlling access to physical media such as USB drives and paper records.

Requirement 10 – Track and monitor all access to network resources and cardholder data

Requirements 10 and 11 are under the ‘regularly monitor and test networks’ control objective.

Requirement 10 is probably the most difficult, as it involves collecting and monitoring logs from all devices in scope. All these logs need to be stored and analysed for security events, which then need to be alerted and followed up with an incident management process.

Requirement 11 – Regularly test security systems and processes

This requirement is resource-intensive as you are required to perform regular vulnerability scanning and penetration testing, either by qualified in-house staff or external parties. This requirement involves quite a bit of budgeting and planning and includes controls such as IDS or IPS and change detection systems.

Requirement 12 – Maintain a policy that addresses information security for all personnel

Requirement 12 is the only one under the final control objective ‘Maintain an information security policy’

It covers all the policy and procedure documentation required including annual risk assessments, security awareness training, 3rd party due diligence, incident response plans.

If you have knowledge of the ISO 27000 series of standards, you will already be familiar with the need for policies and documentation.