PCI DSS – The 12 Compliance Requirements
The 12 requirements of the PCI DSS
Following on from our ‘Introduction to PCI DSS’, we are now going to focus on the 12 technical and operational requirements along with the 6 control objectives, which all organisations processing payment cardholder data must comply with. For each requirement, we will explain what the purpose is and will provide some examples of the controls that you will need in order to meet the requirement.
What are the control objectives?
The PCI DSS identifies twelve requirements clustered into six related control objectives that are designed to protect the account data. These control objectives are designed to provide context for each requirement and are as follows:
Maintain a Secure Network and System
Requirement 1 and 2
Protect Cardholder Data
Requirement 3 and 4
Maintain a Vulnerability Management Program
Requirement 5 and 6
Implement Strong Access Control Measures
Requirement 7, 8 and 9
Regularly Monitor and Test Networks
Requirement 10 and 11
Maintain an Information Security Policy
Requirement 1 – Install and maintain a firewall configuration
Both Requirements 1 and 2 are intended to help you build and maintain a secure network.
Firewalls allow control of network traffic between trusted and untrusted networks and so requirement 1 contains controls for restricting network traffic, something which is at the very core of a secure network. Controls like; justifying your firewall rules, anti-IP spoofing, default deny-all settings, specifically authorising inbound and outbound traffic.
Requirement 2 – Do not use vendor-supplied defaults for system passwords and other security parameters
In essence, this requirement is all about ensuring that devices other than firewalls are configured securely; devices such as servers, desktops, laptops, mobiles, etc. And the controls are similar to requirement 1 in that they focus on secure configuration standards and only required and secure functionality.
Requirement 3 – Protect stored cardholder data
Requirements 3 and 4 are both included to help protect cardholder data and so Requirement 3 includes a large number of controls on how you should encrypt cardholder data when it is stored. Due to the nature of encryption technology, this is actually a complex requirement and why it starts with the sound advice ‘If you don’t need it, don’t store it’.
Requirement 4 – Encrypt transmission of cardholder data across open, public networks
This requirement includes controls which are designed to protect the cardholder data while it is being transmitted, including controls such as; ‘always use strong cryptography’, ‘always secure wireless networks’ and ‘restrict the technologies that are used to transmit CHD to a minimum’.
Requirement 5 – Protect all systems against malware and regularly update anti-virus software or programs
Requirements 5 and 6 are designed to help maintain a vulnerability management program.
Requirement 5 is entitled ‘Protect all systems against malware and regularly update anti-virus software’, which doesn’t leave much to the imagination. It includes controls focused on deploying, using, and maintaining anti-malware wherever you can.
Requirement 6 – Develop and maintain secure systems and applications
This requirement focuses on two areas: patch management and secure software development.
It provides controls on the frequency of patching as well as on developing software securely including for example; using secure coding standards, code reviews, developer training, web-application firewalls and many more.
Requirement 7 – Restrict access to cardholder data by business need to know
Implement Strong Access Control Measures covers requirements 7, 8, and 9.
Requirement 7 is all about the administrative side of access control. It contains controls around clearly defining who has access to what, using best practice and commonly used principles like ‘need-to-know’ and ‘least privilege’.
Requirement 8 – Identify and authenticate access to systems components
Requirement 8 focuses on the technical side of access control and includes a large number of controls that are designed to restrict users’ access, such as; password length and complexity, Multi-Factor Authentication, no shared accounts, accountability and traceability of users’ actions.
Requirement 9 – Restrict physical access to cardholder data
Requirement 9 focuses on restricting physical access to cardholder data, specifying controls such as; facility entry controls, visitor procedures, controlling access to physical media such as USB drives and paper records.
Requirement 10 – Track and monitor all access to network resources and cardholder data
Requirements 10 and 11 are under the ‘regularly monitor and test networks’ control objective.
Requirement 10 is probably the most difficult, as it involves collecting and monitoring logs from all devices in scope. All these logs need to be stored and analysed for security events, which then need to be alerted and followed up with an incident management process.
Requirement 11 – Regularly test security systems and processes
This requirement is resource-intensive as you are required to perform regular vulnerability scanning and penetration testing, either by qualified in-house staff or external parties. This requirement involves quite a bit of budgeting and planning and includes controls such as IDS or IPS and change detection systems.
Requirement 12 – Maintain a policy that addresses information security for all personnel
Requirement 12 is the only one under the final control objective ‘Maintain an information security policy’
It covers all the policy and procedure documentation required including annual risk assessments, security awareness training, 3rd party due diligence, incident response plans.
If you have knowledge of the ISO 27000 series of standards, you will already be familiar with the need for policies and documentation.
MORE ABOUT URM CONSULTING AND HOW IT COULD
SUPPORT YOUR PCI DSS COMPLIANCE JOURNEY
URM’s team of PCI Qualified Security Assessors and consultants
are some of the most experienced and proficient in the UK.
Always adopting a pragmatic and tailored approach, our team can
assist you with all aspects of PCI DSS compliance from conducting
a gap analysis, helping you reduce your CDE scope, to assisting
you complete a SAQ or conduct a full QSA-led RoC assessment
More about PCI DSS
Our office is open 08:00 – 17:30 Monday to Friday.