PCI DSS: Requirements Overview
Requirements Overview [Req 1-12]
Rule: PCI DSS contains 12 high-level requirements organized into 6 control objectives. Each requirement has detailed sub-requirements that must be implemented.
Control Objectives and Requirements
| Objective | Requirements |
|---|---|
| Build and Maintain a Secure Network and Systems | 1, 2 |
| Protect Account Data | 3, 4 |
| Maintain a Vulnerability Management Program | 5, 6 |
| Implement Strong Access Control Measures | 7, 8, 9 |
| Regularly Monitor and Test Networks | 10, 11 |
| Maintain an Information Security Policy | 12 |
Requirement 1: Network Security Controls
Install and maintain network security controls.
| Sub-requirement | Focus |
|---|---|
| 1.1 | Processes and mechanisms defined and understood |
| 1.2 | Network security controls configured and maintained |
| 1.3 | Network access to/from CDE restricted |
| 1.4 | Network connections between trusted and untrusted controlled |
| 1.5 | Risks from untrusted networks mitigated |
Requirement 2: Secure Configurations
Apply secure configurations to all system components.
| Sub-requirement | Focus |
|---|---|
| 2.1 | Processes and mechanisms defined and understood |
| 2.2 | System components configured and managed securely |
| 2.3 | Wireless environments configured and managed securely |
Requirement 3: Protect Stored Account Data
Protect stored account data.
| Sub-requirement | Focus |
|---|---|
| 3.1 | Processes and mechanisms defined and understood |
| 3.2 | Storage of account data minimized |
| 3.3 | SAD not stored after authorization |
| 3.4 | PAN masked when displayed |
| 3.5 | PAN secured wherever stored |
| 3.6 | Cryptographic keys managed |
| 3.7 | Where cryptography protects PAN, keys managed |
Requirement 4: Protect Data in Transit
Protect cardholder data with strong cryptography during transmission over open, public networks.
| Sub-requirement | Focus |
|---|---|
| 4.1 | Processes and mechanisms defined and understood |
| 4.2 | PAN protected with strong cryptography during transmission |
Requirement 5: Protect from Malware
Protect all systems and networks from malicious software.
| Sub-requirement | Focus |
|---|---|
| 5.1 | Processes and mechanisms defined and understood |
| 5.2 | Malicious software prevented or detected and addressed |
| 5.3 | Anti-malware mechanisms active, maintained, monitored |
| 5.4 | Anti-phishing mechanisms protect against phishing |
Requirement 6: Develop Secure Systems
Develop and maintain secure systems and software.
| Sub-requirement | Focus |
|---|---|
| 6.1 | Processes and mechanisms defined and understood |
| 6.2 | Bespoke and custom software developed securely |
| 6.3 | Security vulnerabilities identified and addressed |
| 6.4 | Public-facing web applications protected |
| 6.5 | Changes managed securely |
Requirement 7: Restrict Access
Restrict access to system components and cardholder data by business need to know.
| Sub-requirement | Focus |
|---|---|
| 7.1 | Processes and mechanisms defined and understood |
| 7.2 | Access to system components and data appropriately defined |
| 7.3 | Access to system components and data managed via access control systems |
Requirement 8: Identify and Authenticate
Identify users and authenticate access to system components.
| Sub-requirement | Focus |
|---|---|
| 8.1 | Processes and mechanisms defined and understood |
| 8.2 | User identification and accounts managed |
| 8.3 | Strong authentication established |
| 8.4 | MFA implemented for CDE access |
| 8.5 | MFA systems configured properly |
| 8.6 | Application/system accounts managed |
Requirement 9: Physical Security
Restrict physical access to cardholder data.
| Sub-requirement | Focus |
|---|---|
| 9.1 | Processes and mechanisms defined and understood |
| 9.2 | Physical access controls manage entry |
| 9.3 | Physical access for personnel and visitors authorized |
| 9.4 | Media with cardholder data securely stored, accessed, distributed, destroyed |
| 9.5 | POI devices protected from tampering and substitution |
Requirement 10: Log and Monitor
Log and monitor all access to system components and cardholder data.
| Sub-requirement | Focus |
|---|---|
| 10.1 | Processes and mechanisms defined and understood |
| 10.2 | Audit logs implemented |
| 10.3 | Audit logs protected |
| 10.4 | Audit logs reviewed |
| 10.5 | Audit log history retained |
| 10.6 | Time-synchronization technology |
| 10.7 | Failures of critical security systems detected and responded to |
Requirement 11: Test Security
Test security of systems and networks regularly.
| Sub-requirement | Focus |
|---|---|
| 11.1 | Processes and mechanisms defined and understood |
| 11.2 | Wireless access points identified and monitored |
| 11.3 | External and internal vulnerabilities identified and addressed |
| 11.4 | External and internal penetration testing performed |
| 11.5 | Network intrusions and file changes detected and responded to |
| 11.6 | Unauthorized changes on payment pages detected |
Requirement 12: Security Policies
Support information security with organizational policies and programs.
| Sub-requirement | Focus |
|---|---|
| 12.1 | Information security policy established |
| 12.2 | Acceptable use policies defined |
| 12.3 | Risks to CDE formally identified, evaluated, managed |
| 12.4 | PCI DSS compliance managed |
| 12.5 | PCI DSS scope documented and validated |
| 12.6 | Security awareness education |
| 12.7 | Personnel screened |
| 12.8 | Third-party service provider relationships managed |
| 12.9 | Service providers acknowledge responsibilities |
| 12.10 | Incidents detected and responded to |