- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
Summary: In this article, we will take a big-picture look at the Payment Card Industry (PCI) Data Security Standards (DSS). You’ll learn what is required to be PCI compliant and what’s involved in each of the 12 PCI DSS requirements. You’ll also find a handy PCI Compliance Checklist for easy reference, including new PCI compliance requirements. By the end of this article, you’ll understand why PCI compliance matters and how to achieve PCI compliance and PCI DSS certification.
What Are PCI DSS Compliance Requirements?
The Payment Card Industry (PCI) Data Security Standards (DSS) are global data security standards designed to protect cardholder data and prevent credit fraud.
In 2006, the major credit card brands—American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.—joined together to form the PCI Security Standards Council. They issued a set of PCI data security standards to protect cardholders by securing credit and debit card transactions against data theft.
All merchants and service providers that store, process, and transmit cardholder data are responsible for following these technical and operational requirements. If your organization processes credit card data, it’s critical to understand not only the basic PCI compliance meaning, but also what is required to be PCI compliant, what the PCI compliance process entails, how many requirements are in PCI DSS, and what you’ll need to do to meet each requirement.
Is PCI DSS a Legal Compliance Requirement?
PCI DSS is not a legal compliance requirement. However, it is an important security standard that is required for any business that processes credit or debit card transactions. Organizations following PCI-DSS must have an annual assessment to validate compliance.
Failing to maintain PCI DSS compliance can result in hefty fines and penalties—not to mention the reputational damage of a data breach caused by not following proper protocol. And because the major credit card companies require compliance in order to process payment cards, it is an essential business requirement for many organizations.
The 12 Requirements of PCI DSS Overview
PCI DSS outlines 12 requirements for handling cardholder data and maintaining a secure network. The 12 requirements are organized into six broader goals and have more than 300 sub-requirements, so it can be difficult to navigate all the nuances.
There are also four PCI compliance levels based on the number of credit card transactions an organization processes annually. The more transactions an organization processes, the more stringent the requirements are, and the more difficult it is to achieve compliance. The four levels ensure that all organizations are held to specific compliance standards while also taking into account individual risk factors and infrastructure capabilities.
|PCI Compliance Level
|Level 1 (High Difficulty)
|Over 6 million
|Level 2 (High Difficulty)
|1 - 6 million
|Level 3 (Moderate Difficulty)
|20,000 - 1 million
|Level 4 (Low Difficulty)
|Fewer than 20,000
PCI Compliance Checklist: The 12 Requirements (Steps)
PCI DSS Requirements are always evolving. In March 2022, PCI DSS v 4.0 introduced changes to continue to meet the payment industry’s security needs and enhance controls based on increasingly sophisticated cyber attacks.
This article is based on PCI DSS v3.2.1, which remains active until March 2024. To start familiarizing yourself with Version 4.0 and prepare for how you’ll need to adapt, check out the PCI DSS v4.0 Resource Hub and the checklist below.
PCI DSS Checklist: PCI DSS Objectives and Requirements (v3.2.1 vs. v4.0)
The 12 PCI DSS requirements are organized into six primary objectives. Think of the objectives as what you’ll achieve with PCI DSS compliance, while the 12 requirements tell you exactly how to get there.
|PCI Requirements (v3.2.1)
|PCI Requirements (v4.0)
|Build and maintain a secure network and systems.
|1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
|1. Install and maintain network security controls.
2. Apply secure configurations to all system components.
|Protect cardholder data.
|3. Protect stored data.
4. Encrypt transmission of cardholder data across open, public networks.
|3. Protect stored account data.
4. Protect cardholder data with strong cryptography during transmission over open, public networks.
|Maintain a vulnerability management program.
|5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
|5. Protect all systems and networks from malicious software.
6. Develop and maintain secure systems and software.
|Implement strong access control measures.
|7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
|7. Restrict access to system components and cardholder data by need to know.
8. Identify users and authenticate access to system components.
9. Restrict physical access to cardholder data.
|Regularly monitor and test networks.
|10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
|10. Log and monitor all access to system components and cardholder data.
11. Test the security of systems and networks regularly.
|Maintain an information security policy.
|12. Maintain a policy that addresses information security for all personnel.
|12. Support information security with organizational policies and programs.
Now let’s take a closer look at what’s included in each of the 12 requirements and why they matter.
Step 1: Install and maintain a firewall configuration to protect cardholder data.
A firewall is the first line of defense for any network. Installing a firewall not only protects your cardholder data—but it also prevents unauthorized access for connections like e-commerce systems, email communication, and internet access.
Of course, simply installing a firewall isn’t enough. Proper maintenance is a critical part of meeting PCI DSS Requirement 1. Best practices include:
- Configure rules and criteria for your firewalls and routers to enforce a standardized process for restricting incoming and outgoing network access.
- Document your process and create diagrams to illustrate all cardholder data streams between systems and networks.
- Review your configuration rules and flowcharts at least every six months to ensure your rule sets continue to meet your business needs.
Step 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Vendors often deliver devices like firewalls and routers with default passwords, usernames, and administration accounts. While these vendor-supplied defaults can make installation easier, they are well-known in hacker communities and are frequently used to compromise systems. Changing them before placing the system on your network is critical to maintaining the security of your network.
PCI DSS Requirement 2 is all about hardening your network, making it more difficult for hackers and threat actors to gain access. Be sure to change all default passwords, including those used by:
- Operating systems
- Software that provides security services
- Application and system accounts
- Point-of-sale (POS) terminals
- Simple Network Management Protocol (SNMP) community strings
- Wireless equivalent privacy (WEP) keys
- Default service set identifier (SSID) passwords
Step 3: Protect stored cardholder data.
Storing sensitive data comes with a number of risks, and PCI DSS Requirement 3 focuses on minimizing those risks. Protect cardholder data by implementing security mechanisms like encryption, truncation, masking, and hashing. This ensures that even if hackers manage to circumvent other security checks to gain access, they will be unable to read and use the data.
Best practices for protecting cardholder data include:
- Use strong encryption for stored data and manage keys securely.
- Truncate or mask full primary account numbers (PANs) anywhere they’re not needed for business purposes.
- Minimize storage of unnecessary cardholder data.
- Formalize policies for data retention and destruction so cardholder data can be destroyed when it’s no longer needed.
Step 4: Encrypt transmission of cardholder data across open, public networks.
Malicious individuals can easily access sensitive data when it’s transmitted over open and unencrypted public networks. They can also use known vulnerabilities in protocol applications like SSL, SSH v1.0, and early TLS to gain system control.
Never send PANs or other cardholder data using unencrypted email or other end-user messaging like instant messaging, chat, or forum sessions. You must also disable weak keys and protocol implementations with known vulnerabilities and use stronger implementations like TLS 1.1 or higher.
Step 5: Use and regularly update anti-virus software or programs.
Today’s headlines are flooded with stories of cyber criminals using malicious software (malware) to steal credit card information and other sensitive data. It’s critical for organizations to implement anti-virus solutions and take other necessary precautions to prevent these attacks.
Make sure that your anti-virus software can detect, remove, and protect against all known malware types. Common types of malware attacks include viruses, worms, Trojans, bots, and ransomware. To ensure you’re staying ahead of the evolving threat landscape, regularly update your antivirus software, maintain audit logs, and track malware trends to monitor for new vulnerabilities.
Step 6: Develop and maintain secure systems and applications.
Security vulnerabilities are always emerging—and attackers are always ready to exploit them.
It’s critical to regularly install security patches and roll out updates in a timely manner to protect against new vulnerabilities.
Establish a process to identify security vulnerabilities using reputable outside sources such as
Microsoft Security Bulletins and Cisco Security Advisories to identify operating system vulnerabilities and critical patches. Assign a risk ranking such as “high,” “medium,” and “low” to newly discovered security vulnerabilities and prioritize mitigation accordingly.
Step 7: Restrict access to cardholder data by business requirements.
The more people with access to cardholder data, the greater the risk. Controlling access to cardholder data by granting access only to those who “need to know” helps prevent misuse of data through inexperience, lack of awareness, and ill intent. Review user access to data and establish a written policy with defined privileges based on the job functions and classifications of individual employees.
Step 8: Assign a unique ID to each person with computer access.
Each person with access to cardholder data should have a unique identification and password. Changes to authentication credentials should also be managed and controlled, including adding new users and deleting access for terminated ones.
User IDs and passwords should be complex enough to reduce the chances of threat actors guessing them. Refer to PCI Password Requirements below, which enforce criteria such as length of passwords and duration requirements. Finally, because even the strongest passwords are not unbreakable, a multi-factor authentication (MFA) mechanism should also be installed.
PCI Password Requirements
- The password must be a minimum of seven characters in length.
- It must contain both numbers and letters.
- Users are required to change their passwords every 90 days.
- The new password must be different from the previous four passwords.
- When passwords are generated for the user, for example, because the user is new or the user requires a password reset, the password must be unique to each user and be changed after the first use.
- When a user is locked out of their account, the lock will remain active for 30 minutes or until a system administrator can perform a reset.
- Vendor-supplied defaults will not be allowed.
- Passwords must be encrypted during transmission and storage.
Step 9: Restrict physical access to cardholder data.
Cardholder data doesn’t just live in the cloud; it’s also stored in physical locations such as servers, computer rooms, and data centers. Ensure that you restrict access to these areas with controls like badge readers and key-controlled locks, and monitor sensitive areas with security mechanisms like video cameras.
Other best practices for restricting physical access include implementing automatic server locking and timeout systems to ensure login screens are locked when they’re not in use.
Step 10: Track and monitor all access to network resources and cardholder data.
If cardholder data is compromised or something else goes wrong, organizations need to be able to analyze activity and determine the root cause. Troubleshooting and forensic investigation are very difficult without the proper logging mechanisms in place.
PCI DSS Requirement 10 ensures that organizations keep logs in their environments to track access to devices where cardholder data is stored, processed, and transmitted. Activities to audit include individual access to cardholder data, as well as invalid access attempts, access to audit logs, and a number of other transactions. This activity should not only be logged, but also monitored and regularly reviewed.
Step 11: Regularly test security systems and processes.
Once you’ve secured your system, how do you keep it that way? Test system components and processes to keep up-to-date with new vulnerabilities and an evolving threat landscape. Routinely check for wireless access points and unauthorized wireless devices, which are one of the most common ways attackers enter networks and access cardholder data.
PCI DSS Requirement 11 also covers vulnerability scanning and penetration testing. Organizations are required to conduct quarterly vulnerability scans to ensure the timely identification and closure of vulnerabilities across internal and external networks. Penetration tests help organizations understand their potential risk by simulating a real-world attack in order to uncover areas of weakness in the environment. These tests should be performed annually and after any significant change is made to the environment.
Step 12: Maintain a policy that addresses information security for all personnel.
The final PCI DSS requirement moves beyond technology requirements to address the people who manage and follow them. A strong information security policy is a roadmap for protecting an organization's most valuable asset: its workforce. Security awareness training programs, regular security policy reviews, established risk assessment processes, incident response programs, and technology usage policies all fall within PCI DSS Requirement 12.
How StrongDM Helps You Meet PCI DSS Compliance Requirements
Keeping up with PCI compliance requirements can be challenging, especially as they evolve. But failure to comply with regulations can lead to costly penalties and reputation damage. That’s why it’s important to rely on comprehensive solutions like StrongDM to ensure end-to-end compliance across your network.
StrongDM makes compliance easier by managing and auditing access to infrastructure, which is a critical part of PCI DSS. You can also find a free suite of tools and templates to get you SOC 2-certified fast. While SOC 2 is not the same as PCI DSS, there are a number of operational similarities. For both certifications, you’ll need to take steps like performing regularly scheduled vulnerability scans, implementing annual security awareness training, and performing an annual risk assessment.
Simplify PCI DSS Compliance
Meeting the 12 PCI DSS Compliance Requirements can feel like a daunting task, but it is achievable. Take each step one at a time and use a checklist to map your progress. Stay up-to-date with the PCI Security Standards Council’s PCI SSC Resources and PCI SSC Document Library.
Simplify compliance with easy, secure infrastructure access. Try StrongDM free for 2 weeks.
About the Author
Andrew Magnusson, Customer Engineering Expert, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.