The 12 PCI DSS Requirements Explained

What Are the PCI DSS Requirements?

The Payment Card Industry Data Security Standard (PCI DSS) is a data security standard that applies to organizations that process payment card information. The requirements of the PCI DSS were created and are overseen via the PCI Security Standards Council. 

The PCI DSS consists of 12 requirements for implementing security measures that help ensure the protection of credit card information and are necessary for demonstrating PCI compliance. All organizations that deal with payment cards in storage or processing for an exchange of goods or services, such as credit and debit cards, have to adhere to 12 requirements either via a compensating control or directly. 

Note that some compensating controls may not be permitted and must be approved on an individual basis by a PCI QSA. If your organization doesn’t adhere to the PCI DSS 12 requirements, you may incur a fine or have your credit card processing rights terminated.

The information offered in this article is intended solely for educational purposes and features only general details about commercial, legal, and other issues. It is not legal advice and must not be approached as such. Information on this page could not be the most current legal or other information.  

The information on this page is given “as is” without any warranties or representations, implied or express. We make no warranties or representation regarding the information on this page and all liabilities regarding any actions that are carried out or withheld based on the information in this article are expressly disclaimed. 

You should not rely on the content of this article as a substitute for legal advice from a professional legal service provider or attorney. If you have any particular questions about a legal matter you must consult your professional legal service provider or attorney.

This article could feature links to third-party websites. These links are placed here only for the convenience of the user, reader or browser, and we do not endorse or recommend the information or content of any third-party sites. 

Related content: This is part of an extensive series of guides about PCI compliance.

Do You Need to Be PCI Compliant?

If you have an organization that deals with debit or credit card payments, you should adhere to the PCI DSS. 

Cardholder data or credit card data is made up of the PAN or card number together with the expiration date, cardholder name, or service code. PCI compliance is also needed to gain sensitive authentication information. This form of sensitive information includes, for example, PINs, magnetic stripe or card chip data, card validation codes, and other details used to validate cardholders to validate payment card transactions.    

The PCI SSC created four stages of compliance for wholesale traders and two levels for retail providers. The level of your organization determines whether you are subject to a PCI audit by a QSA or if you simply need to complete an SAQ. 

Related content: PCI Compliance Levels

PCI Compliance Fines

PCI compliance is not a legal requirement — non-compliance is still a major concern. Businesses that do not meet PCI standards can face risks such as data breaches, fines, costs to replace cards, costly forensic audits and business investigations, as well as long-term damage to their brand image and reputation.

Non-compliance with PCI does carry penalties, although they are not well known. For example, if a company violates PCI compliance standards, a credit card brand could fine an accepting bank from $5,000 to $100,000 per month. Banks generally pass these fees on to the seller, terminate the contract, or increase transaction fees when a seller violates PCI requirements.

In addition to financial costs, there are other potential damages that can affect your business. Failing to comply with PCI can result in negative consequences including:

• Loss of customer trust, decline in sales and revenue, and in extreme cases, business shutdown
• Reissuance fees for new payment cards
• Your business might be prohibited from accepting credit cards altogether
• Fraud resulting in financial losses or damage to your customers
• Subsequent compliance costs are higher
• Court fees, settlements and decisions
• Career damage for roles like CISO, CIO, CEO, CFO

PCI DSS Compliance Requirements

Below we summarize the main requirements of the PCI DSS standard.

1. Install and retain a firewall to protect cardholder data

Ensure network security by installing and properly configuring a firewall to protect a cardholder data environment. The main purpose of a firewall is to regulate network traffic through restrictive rules. A firewall is deployed at the network edge and is the first line of defense against attackers trying to breach the network. PCI requires that organizations review firewall rules twice a year to ensure they are appropriate to secure the environment.

2. Strong passwords and secure configuration 

Never leave devices and software with their default passwords. Devices like routers and point of sale (POS) equipment are especially vulnerable because they ship with standard usernames and passwords that are either known to attackers, or easy to guess or crack. To comply with PCI, your organization must create an inventory of all devices affecting the cardholder environment and ensure they all have secure passwords and appropriate security settings. 

3. Protect stored cardholder data

Make a comprehensive list of cardholder information in your organization, where it is stored, and its retention period. All data must be protected using means like strong encryption, one-way hashing, truncation, or tokenization. The PCI standard mandates a rigorous process for managing encryption keys. If you find it difficult to discover where credit card details are stored, you can use card data discovery tools that scan data sources for primary account numbers (PAN).

4. Encrypt cardholder data transmission across public networks

Secure cardholder data by encrypting it whenever it is transmitted over an open or public network. This includes the public internet, mobile phone networks like GSM or GPRS, Bluetooth, etc. You must be aware of when and where your organization is transmitting cardholder data, and ensure it is encrypted using a secure protocol like Transport Layer Security (TLS) or Secure Shell (SSH).

5. Use and regularly update anti-virus software

Deploy antivirus software on all computing systems in the cardholder data environment, and update them regularly. POS equipment should also be equipped with antivirus and scans should be run regularly, either by your organization or the POS vendor. In addition, put in place controls that can alert on suspicious activity such as unknown files, even if they do not match known malware signatures.

6. Create and retain secure systems and applications

Apply software patches and updates to all systems, as soon as they are accessible. In addition, you should actively seek out vulnerabilities in software systems, rank them according to severity, and address them. If your organization performs software development, any new or modified code must be scanned for known vulnerabilities, and assessed for insecure coding practices or unknown vulnerabilities.

7. Limit access to cardholder data based on “need to know”

Cardholder data, even if securely stored, should have limited access within your organization. Employees who need access in order to perform a task should have access only during the time they need to do the task — this is known as the “need to know” principle. If an employee or third party requests cardholder data, and they are not authorized, their request should be denied. 

Access control should take into account whether the agent making the request is authorized and whether they actually need the data in the current context.

8. Unique IDs for every person with computer access

Assign a unique identifier to every person that has access to computing systems in the cardholder environment. Whenever someone accesses protected data, there should be a record tracing back the activity to a named person. 

Another requirement is two-factor authentication — for example, requiring users to provide something they know (a password) and something they own (such as a security token) to gain access. The PCI standard recommends using RADIUS or TACACS tokens which are highly secure.

9. Restrict physical access to cardholder data

Ensure that unauthorized personnel cannot physically access equipment in the cardholder environment. This applies to everyone — employees, third-party contractors or vendors, and guests. Access should be restricted to computing systems, devices, storage media, paper copies, and anything else storing or enabling access to cardholder data. 

This requires strict access control for physical facilities, logging of entrance and movements within the facility, and dedicated on-site security personnel. Cardholder data should be securely stored, with backups in a remote location. Data should be destroyed when no longer needed. The organization must have clear procedures for determining how information is distributed after access is approved.

10. Track and monitor access to network and cardholder data

Ensure that networks in the cardholder data environment have appropriate audit policies so that they log all activity and send it to a syslog server. PCI requires reviewing logs at least once per day to identify suspicious activity. A security information and event monitoring tools (SIEM) system can automate the process of centrally storing, analyzing, and alerting on log data. 

PCI also requires that audit trails contain a minimal amount of data and are time-synchronized. The audit data itself must be secured to avoid tampering and must be retained for 12 months.

11. Periodically test security systems and processes

It is not enough to “set and forget” security controls and procedures. IT environments are dynamic, and new threats and vulnerabilities are introduced daily, so you must regularly test security processes to ensure that systems are still secure. Specifically, PCI requires regular testing of:

• Unauthorized access to wireless access points (WAP)
• Scanning for internal and external vulnerabilities, once per quarter or when making major changes to the network
• Penetration testing
• Setting up intrusion detection and prevention systems (IDS/IPS)
• Setting up file integrity monitoring (FIM)

12. Sustain an information security policy affecting all personnel

Your organization should have a formal, well-documented security policy, which clearly details the security responsibilities of all personnel related to the payment cardholder environment. Employees and others with access to the cardholder environment must undergo training, and must acknowledge the policy. 

The policy must undergo an annual review, based on a formal risk assessment. In addition, PCI requires background checks for employees and a documented incident response process.

Related content: PCI Compliance Checklist

PCI DSS Compliance with Exabeam Fusion SIEM

In the end, PCI DSS compliance is all about proving to auditors what you say you do — and Exabeam can help. While DLP, endpoint, vulnerability scanning, network, and identity vendors give you pieces of the puzzle, Exabeam Fusion SIEM helps you put it all together to see a full picture of attack, adding context and risk scoring to events and alerts to show an end-to-end PCI DSS compliance picture.  

Exabeam Fusion SIEM offers reports for your security teams on vulnerabilities discovered on PCI assets. This report looks at vulnerability scan details data produced by firewalls, routers, switches, and any other device that produces vulnerability data. Vulnerability scans of the cardholder data environment expose potential vulnerabilities in networks that could be found and exploited by malicious individuals. Organizations use this report to identify specific high and/or critical vulnerabilities on cardholder systems that need to be fixed.

Fusion SIEM also looks at credit card data, found in motion or at rest from IDS, IPS, and DLP systems to provide visibility into potentially unauthorized transmissions of credit card data over the network or to unauthorized removable storage devices. Customers use this report to identify the source of the transmission so it can be further investigated and fixed. The cardholder data environment should be monitored for unauthorized egress transmission of credit card data using IDS, IPS, and DLP-based technologies. 

From credential anomaly and unusual activity or movement to credit card data access or transmissions, Exabeam offers a clear view of “normal” for any credentials, data movement, and activity, helping streamline your SOC workflow and responses in the event of a compromised or malicious insider as well as detecting lateral movement of malware or ransomware within your ecosystem.

See Exabeam in action: Request a demo