The Payment Card Industry Data Security Standard (PCI DSS) is a set of twelve high-level requirements which all merchants and service providers who take card payments or who manage systems that are involved in transactions are required to follow.
PCI DSS has high-level requirements and detailed testing requirements that need to be carried out in order to show compliance with the standard. This document covers the high-level requirements.
The Twelve PCI DSS Requirements
Requirement 1: As part of Requirement 1, you need to ensure that all of your firewalls are maintained and that they are configured to only allow the traffic which is required to sensitive parts of your network.
Requirement 2: Requirement 2 focuses on how you ensure that your servers, firewalls, and other devices that are used in your environment are configured securely.
Requirement 3: The focus in Requirement 3 is on protecting cardholder data. Cardholder data needs to be protected during all parts of the transaction process. This means that when it’s stored, it needs to be protected. Finding out locations of clear-text cardholder data through tools such as card-scanning can help you find cardholder data that you do not need and help you define your cardholder data environment.
Requirement 4: Requirement 4 focuses on protecting cardholder data when it is being transmitted over the internet. This means that cardholder data needs to be protected when it’s sent from the customer, when it’s sent to the payment gateway, and if you’re using a cloud service, you should protect your internal data too since it might be going over out of your control without your knowledge.
Requirement 5: Requirement 5 is all about anti-virus software and making sure it is configured securely. While not all systems can support anti-virus, we recommend installing it wherever it is supported.
Requirement 6: Requirement 6 covers two areas: vulnerability management and secure development.
Vulnerability management in Requirement 6 is about ensuring that you are regularly identifying threats to your systems, installing patches, and that all changes to systems are documented.
Secure development in Requirement 6 is about ensuring that you follow good development practices, such as having a separation of duties, ensuring there are separate environments, and making sure that all code is developed securely and tested.
Requirement 7: This requirement is all about managing the users who have access to your systems and making sure that people only have the minimum level of access they need to do their job.
Requirement 8: Requirement 8 is about making sure that users are authenticating securely. This means enforcing strong passwords and using multi-factor authentication. It also looks at how people access your databases where cardholder data is stored.
Requirement 9: Physical security is covered Requirement 9. This means making sure that any paper with cardholder data is stored securely and that anyone visiting sensitive areas is identified and approved for access. This requirement also covers the security of your data centres.
Requirement 10: Requirement 10 focuses on the security logs and monitoring of your systems. Making sure that you have logs and are regularly reviewing them is vital to being able to proactively identify security incidents.
Requirement 11: Requirement 11 focuses on more security testing, including doing regular scans to identify vulnerabilities and getting your systems tested by an organisation that specialises in penetration testing.
Requirement 12: Finally, Requirement 12 covers the policy and governance side of PCI DSS. Along with policies it includes user education and service provider management to make sure that third parties aren’t affecting your PCI DSS and security.
If you need help with understanding the detail of these requirements or assessing your PCI DSS compliance, contact us.