Fortinet Acquires Next DLP Strengthens its Top-Tier Unified SASE Solution Read the release
Updated: Jun 6, 2024   |   Lauren Koppelman

The 12 requirements of PCI DSS compliance

Go back

Companies that process credit card payments are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). This standard comprises guidelines created to protect the privacy and security of cardholder data, and in this post, we’ll review the requirements of PCI DSS compliance.

In this article: 

Padlock on top of a keyboard

What are the 12 requirements of PCI DSS compliance?

PCI DSS was introduced in September 2006 to improve the security of cardholder transactions in the digital age. The PCI Security Standards Council (PCI SSC) is an independent body that manages and administers PCI DSS. 

Enforcement of the standards, including levying fines for noncompliance, is performed by the individual payment card brands, such as Discover and Visa, responsible for the creation of PCI DSS. PCI merchant levels determine the specific requirements a company must comply with. 

In all, several hundred requirements are contained in PCI DSS, grouped into the following 12 categories:

  1. Firewalls must be installed and maintained to protect cardholder data
  2. Vendor-supplied default passwords and security parameters must be changed
  3. Stored cardholder data must be protected
  4. Cardholder data must be encrypted when transmitted over open, public networks
  5. Antivirus software needs to be implemented and regularly updated
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data on a business need-to-know basis
  8. Everyone with computer access needs a unique ID
  9. Restrict physical access to cardholder data
  10. Monitor and track all access to cardholder data and network resources
  11. Security systems and processes must be regularly tested
  12. Maintain an information security policy for all personnel



The requirements of PCI DSS compliance in detail

PCI DSS v3.2.1 is the current version of the standard and is slated to be replaced by PCI DSS v4.0 in early 2024; however, the main requirements discussed here apply to both versions.

IT environments used for processing credit card information need to maintain compliance with these regulations. PCI DSS applies to a company’s on-premises IT environments and any they have contracted with a third-party such as a cloud service provider (CSP).

1. Firewalls must be installed and maintained to protect cardholder data

Companies must effectively configure, update, and maintain network firewalls to prevent unauthorized access to systems containing cardholder data. Configuration parameters should be reviewed at least bi-annually to address changes and ensure only authorized entities can access the network. 

Remote employees or those with home offices used to access enterprise data resources are also required to have firewalls installed on their computers and mobile devices.

2. Vendor-supplied default passwords and security parameters must be changed

Vendor-supplied passwords and security parameters must be changed on all hardware and software components. Cybercriminals can exploit the use of default passwords to gain access to a system to compromise cardholder data. 

Passwords must always be changed before introducing a new device or software solution into the environment and interacting with regulated systems.

3. Stored cardholder data must be protected

Merchants are required to protect cardholder data during storage to prevent unauthorized access. All transactional data must be encrypted at all times and is subject to strict retention policies. Lastly, obsolete data must be purged at least quarterly.

4. Cardholder data must be encrypted when transmitted over open, public networks

Measures must be in place to ensure that cardholder data cannot be compromised when traversing public networks, and strong cryptography and encryption must be used with every piece of cardholder information. Companies need to implement industry standards, such as IEEE 802.11i for wireless networks, to comply with PCI DSS.

Hacker typing on a backlit keyboard in the dark
5. Antivirus software needs to be implemented and regularly updated

Companies must implement antivirus and anti-malware software as a component of the organization’s vulnerability management program. All machines that access cardholder information should have this software installed, activated, and updated with the most recent virus definitions.

6. Develop and maintain secure systems and applications

Merchants must install security patches as soon as vendors make them available. Systems developed to process cardholder data must be secure and comply with PCI DSS code development standards.

7. Restrict access to cardholder data on a business need-to-know basis

Access to cardholder data should only be authorized for employees who need it to do their jobs. Need to know is fundamental to PCI DSS as a means to control users requesting access to the data and the reason they require access. Users must be both authorized and have a valid reason before being allowed to access cardholder data.

8. Everyone with computer access needs a unique ID

All personnel with computer access must have a unique ID that can be used for monitoring their activities when interacting with regulated systems.

9. Restrict physical access to cardholder data

Companies must monitor and log access and enforce access controls to prohibit unauthorized entities from physically accessing systems that contain cardholder data. Removable storage devices, such as that used to hold backups, must be secured and destroyed when no longer needed by the organization.

Man reviewing multiple screens with detailed data
10. Monitor and track all access to cardholder data and network resources

Merchants are required to implement comprehensive monitoring and tracking solutions to ensure that only authorized individuals access the systems. PCI DSS compliance requires logging and maintaining audit trails of all network activity, and the tools should also identify unauthorized attempts to compromise IT resources. 

11. Security systems and processes must be regularly tested

Merchants must conduct quarterly internal and external vulnerability scans to ensure the effectiveness of all existing security protocols and procedures.

12. Maintain an information security policy for all personnel

Companies must develop an information security policy and ensure that all personnel comply by providing ongoing PCI compliance training.  The policy should be assessed and revised annually.

Next DLP helps maintain PCI DSS compliance

Next provides a cloud-native data loss prevention (DLP) solution that helps companies maintain compliance with PCI DSS and other security standards, such as GDPR. The Reveal Platform by Next enforces an organization’s data handling policy, which should reflect the measures necessary to maintain compliance with the regulations.

Specific ways Reveal addresses PCI DSS compliance include:

  • Automatically ensuring all data is encrypted before transmission
  • Prohibiting unauthorized users from accessing sensitive information
  • Offering real-time user training on a company’s information security policy

Get in touch with Next and see how Reveal can help your company comply with PCI DSS. You can also book a demo and get a closer look at this advanced DLP solution in action.

Frequently asked questions

What is the PCI DSS compliance process?

The PCI DSS compliance process comprises three essential steps:

  • Assess
  • Repair
  • Report

During the first step, you should identify assets and processes that handle sensitive data and assess them for vulnerabilities. Step two involves repairing those vulnerabilities, while step three is the documentation of the processes utilized during the first two steps.

What is PCI DSS requirement 12.6?

PCI DSS requirement 12.6 states that organizations must have a formal security awareness program for its employees. This must include refresher training at least annually, with employees also required to sign an acknowledgment to say they have read and understand the security policy.

What is PCI DSS requirement 12.8?

This refers to any service providers you work with as part of your business. You are required to maintain a list of these providers, have a written agreement stating the providers are responsible for any data they handle, implement a process for delegating service providers, and, lastly, monitor your service providers’ compliance status on a regular basis.

 

 

Demo

See how Next protects your employees and prevents data loss