The 12 Requirements of PCI DSS Compliance

PCI DSS is the data security standard for the payment card industry and is maintained by the PCI Security Standards Council (PCI SSC).

This standard is presented as the minimum criteria merchants should strive for in order to avoid data breaches. For independent software vendors (ISVs) who provide software solutions to merchants, products need to be compliant, which means meeting the 12 requirements is a must.

Read on to learn the 12 requirements of PCI DSS, what they entail, and how you can stay PCI compliant.

The PCI Data Security Standard

There are six major principles of PCI DSS.

Think of these principles as the “goals” that the various PCI DSS policies and procedures intend to achieve.

All 12 requirements pertain to a principle, and these principles are:

  1. Build and maintain a secure network
  2. Protect cardholder data
  3. Maintain a vulnerability management program
  4. Implement strong access control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy

If these conditions are met, then the payment card transaction environment is compliant.

The 12 Requirements of PCI DSS

The requirements set forth by the PCI SSC are both operational and technical, and the core focus of these rules is to protect cardholder data at all times.

These standards apply not just to merchants and ISVs but anyone that stores, processes, transmits, or otherwise manipulates cardholder data. Service providers who can affect the security of cardholder data are also responsible for compliance with applicable requirements. PCI DSS applies for mobile applications too, so it’s important to have a solid understanding of the standards.

The 12 requirements of PCI DSS are:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks 
  5. Use and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need to know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

1. Install and maintain a firewall configuration to protect cardholder data

Criminals no longer need physical access to cardholder data in order to steal it, and a core PCI DSS goal is to build and maintain a secure network.

This first requirement ensures that merchants as well as ISVs do so through the proper configuration of a firewall as well as routers if applicable.

Organizations should establish firewall and router standards, which allow for standardized testing of that equipment whenever hardware or software changes are made. Configuration rules should be reviewed biannually and should restrict all untrusted traffic except in cases where that communication protocol is required to process cardholder data.

It’s necessary to prohibit access from the internet to any component within the cardholder data environment. If employees or other relevant personnel have computers or mobile devices that access the organization’s network, those systems must be equipped with personal firewall software.

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Among the most common and simplest exploits available to criminals is the ability to compromise a system because a firewall, router, or other hardware or software uses a standard password. Routers, for instance, often ship with the username “admin” and the password “admin” for the sake of convenience.

Such default passwords and other security parameters are not permissible per this requirement. Those parameters must be changed before the new item interfaces with the established system in any way.

3. Protect stored cardholder data

Any organization that accepts payment cards is required to protect cardholder data in order to prevent unauthorized usage. Cardholder data should never be stored unless required for legal, regulatory or business needs. In the event storage is necessary, this requirement focuses on securing stored data.

Organizations must limit storage and retention time to the bare minimum and should perform a purge at least every quarter. Sensitive data - even if encrypted - should never be stored beyond what’s necessary to finalize a transaction.

This requirement also includes rules for how primary account numbers should be displayed, such as revealing only the first six and last four digits. This requirement does not supersede other legal or payment card brand requirements, including requirements that further limit data which can be displayed on point-of-sale (POS) receipts.

4. Encrypt transmission of cardholder data across open, public networks

Cyber criminals can potentially access cardholder data when it’s transmitted across pubic networks. Encrypting that data prior to transmitting it and then decrypting it upon receipt limits the likelihood that thieves can access this data in a meaningful way.

This requirement demands strong cryptography and security protocols. It also provides recommendations to protect cardholder data during transmission, such as IPSec, SSH, and TLS, and necessitates employing the latest industry standards, such as IEEE 802.11i for wireless networks.

5. Use and regularly update anti-virus software or programs

PCI DSS necessitates a proactive and ongoing approach to discovering weakness within a payment card system. This is referred to as a vulnerability management program, and this first rule toward that end requires the deployment of an anti-virus solution. Such software must not just be used on core systems. Many vulnerabilities originate via email and other seemingly innocuous online activities.

Anti-virus software should be deployed on all systems, including the workstations, laptops, and mobile devices that employees may use to access the system both locally and remotely. Ensure that AV mechanisms are always active, using the latest dictionaries, and generating auditable logs.

6. Develop and maintain secure systems and applications

Continuing on with managing vulnerabilities, organizations must limit the potential for exploits by keeping software secure. In many cases, this involves installing security patches as soon as available, and ISVs must work to ensure their merchants are aware of these patches and can access and execute them easily.

In addition to deploying critical patches in a timely manner, organizations must have a process in place not only to discover new vulnerabilities but also to rank them. All code created by an ISV must be in accordance with PCI DSS, and all new code and changed code must be analyzed for all known vulnerabilities and also assessed for unknown weakness that the new code may reveal.

7. Restrict access to cardholder data by business need to know

In order to implement strong access control measures, merchants must be able to allow or deny access to cardholder data as requested. The goal is to allow only authorized access, and unauthorized access is not simply limited to criminals. A person or an organization may request data that it does not need within the context of the current task; that request would be unauthorized and thus denied.

Need to know is a fundamental concept within PCI DSS. An agent may have permission to access certain data in a broad sense but not within a particular scenario. Therefore, an access control system must assess each request not just based on the agent making the request but also the circumstances. It must then deny any request that is not specifically permitted.

8. Assign a unique ID to each person with computer access

Having strong control measures in place requires that every authorized user have a unique identifier assigned to them. This ensures that whenever someone accesses cardholder data, that activity can be traced to a known user or at least immediately recognized as unauthorized access.

For remote access, two-factor authorization is required. You cannot use one factor twice. Even the use of two distinct passwords isn’t advisable. PCI DSS recommends technologies like RADIUS and TACACS, which use tokens - meaning you have a password as one factor and a token as another.

9. Restrict physical access to cardholder data

Another aspect of implementing control measures involves limiting the physical access that parties may have to this sensitive data. These parties can include employees, contractors, vendors, consultants, and guests, and access includes any opportunities to retrieve data via systems, devices, and hard copies.

Such protection requires on-site access control that not only restricts movement within an installation but also monitors and logs it. There must be procedures in place to easily and quickly identify people who don’t belong, and a site requires security personnel dedicated to enforcing these rules.

All media must be physically secured, and backups should be maintained at a site other than the primary location. Additionally, there must be procedures and controls in place to determine how information is distributed so that data doesn’t become exposed after access has been approved.

Finally, it’s necessary to destroy all media when the business no longer needs it or a legal obligation may present itself.

10. Track and monitor all access to network resources and cardholder data

Cardholder access points are connected via both physical and wireless networks, and vulnerabilities in these networks make it easier for criminals to steal data. PCI DSS aims to prevent these exploits by requiring organizations to monitor and test their networks on a regular basis.

This requires real-time monitoring and logging as well as forensic mechanisms. But in order to make these systems effective, a certain foundation is required. This particular requirement focuses on those underpinnings, such as the ability to link all network traffic to a specific user.

Automated audit trails are necessary as well as the ability to reconstruct events. Audit trail records must meet a certain standard in terms of the information contained. Time synchronization is required. Audit data must be secured, and such data must be maintained for a period no shorter than a year.

11. Regularly test security systems and processes

Vulnerabilities are introduced recurrently not just by criminals but by researchers and through the introduction of new code. This means that all systems and processes must be tested on a frequent basis to ensure that security is maintained despite these environmental changes.

Organizations must test each quarter for wireless access points used to gain unauthorized access. Internal and external vulnerability scans are required at least every quarter but also whenever a significant network change has been made. Other ongoing requirements include penetration testing as well as the use of intrusion detection and prevention systems.

File monitoring is a necessity, too. This mechanism can raise an alert whenever a user has modified a content, configuration, or system file in an unauthorized manner. The system should perform file comparisons each week to detect changes that may have otherwise gone unnoticed.

12. Maintain a policy that addresses information security for all personnel

This final requirement is dedicated to the core PCI DSS goal of implementing and maintaining an information security policy for all employees and other relevant parties. It’s necessary not just to create and maintain the policy but also to publish and disseminate it.

There must be at least a yearly process through which the policy is challenged and then revised as required. It’s also necessary to ensure that all security procedures and usage policies are in accordance with the primary information security policy.

The requirement demands that there be at least one agent (and perhaps an entire team depending on the scope) who is responsible for these obligations. These personnel are in charge of creating awareness campaigns relevant to information security and are required to screen prospective employees, contractors, and so forth as part of the hiring process to avoid internal data breaches.

Conclusion

The 12 PCI DSS requirements are industry standards - not law. However, merchants will want to ensure PCI compliance with Global Payments Integrated to protect their customers’ sensitive data. 

Meeting the 12 requirements of PCI DSS compliance protects the merchant should a breach occur from financial penalties levied by banks. And because it’s often the financial institutions that enforce compliance, ISVs should ensure that their merchants meet those requirements and do so in the way banks expect. 

Contact Global Payments Integrated today to make sure your merchants' information stays safe.

Richard Rohena

Manager of PCI Compliance Services

Richard is the Manager of PCI Compliance Services with Global Payments Integrated, providing developers of credit card payment solutions and merchants with a deep understanding of the Payment Card Industry Data Security Standard (PCI-DSS). He has over 8 years of experience working directly with developers and merchants to implement secure payment solutions in a manner compliant with the PCI-DSS.

View Profile

Richard Rohena