What Are the Core Requirements of PCI DSS?
The PCI DSS consists of 12 published requirements, which in turn contain multiple sub-requirements. The 12 PCI DSS compliance requirements are organized in six groups as shown in the table below:
PCI DSS Compliance Requirements
GroupRequirements
Build and Maintain a Secure NetworkRequirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder DataRequirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management ProgramRequirement 5: Protect all systems against malware and regularly update antivirus software or programs.
Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control MeasuresRequirement 7: Restrict access to cardholder data by business need to know.
Requirement 8: Identify and authenticate access to system components.
Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test NetworksRequirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Maintain an Information Security PolicyRequirement 12: Maintain a policy that addresses information security for all personnel.
Note: This material is drawn from PCI Compliance & Data Protection for Dummies, Thales Limited Edition, by Ian Hermon and Peter Spier.