Skip to main content

PCI DSS Requirements Explained

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that store, process, or transmit credit card information maintain a secure environment. The standard is organized into 12 high-level requirements that businesses must meet to protect cardholder data.

The 12 PCI DSS Requirements

  1. Build and Maintain a Secure Network — Install and maintain firewall configurations to protect cardholder data.
  2. Protect Cardholder Data — Do not store sensitive authentication data after authorization. Protect stored cardholder data through encryption and other means.
  3. Vulnerability Management — Protect systems against malware and keep security software up to date. Develop and maintain secure systems and applications.
  4. Access Control — Restrict access to cardholder data by business need-to-know. Assign a unique ID to each person with computer access. Restrict physical access to cardholder data.
  5. Monitoring and Testing — Track and monitor all access to network resources and cardholder data. Regularly test security systems and networks.
  6. Security Policies — Maintain a policy that addresses information security for all personnel.
  7. Secure Network Architecture — Implement network security controls such as firewalls and network segmentation.
  8. Strong Access Control Measures — Implement identification and authentication mechanisms for access to system components.
  9. Restrict Physical Access — Implement physical access controls for facilities that house systems storing cardholder data.
  10. Log and Monitor — Implement logging, monitoring, and alerting to detect and respond to security events.
  11. Test Security Systems — Regularly test security systems, networks, and applications for vulnerabilities.
  12. Information Security Policy — Maintain an information security policy and ensure all personnel are aware of and follow it.

Each requirement contains multiple sub-requirements and testing procedures. The exact controls you must implement depend on your SAQ type and scope. Understanding these requirements helps you prioritize security efforts and prepare for validation.

Find out which requirements apply to your environment with our guided assessment.