What Are the Core Requirements of PCI DSS?
The PCI DSS consists of 12 published requirements, which in turn contain multiple sub-requirements. The 12 PCI DSS compliance requirements are organized in six groups as shown in the table below:
|Build and Maintain a Secure Network||Requirement 1: Install and maintain a firewall configuration to protect cardholder data.|
|Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.|
|Protect Cardholder Data||Requirement 3: Protect stored cardholder data.|
|Requirement 4: Encrypt transmission of cardholder data across open, public networks.|
|Maintain a Vulnerability Management Program||Requirement 5: Protect all systems against malware and regularly update antivirus software or programs.|
|Requirement 6: Develop and maintain secure systems and applications.|
|Implement Strong Access Control Measures||Requirement 7: Restrict access to cardholder data by business need to know.|
|Requirement 8: Identify and authenticate access to system components.|
|Requirement 9: Restrict physical access to cardholder data.|
|Regularly Monitor and Test Networks||Requirement 10: Track and monitor all access to network resources and cardholder data.|
|Requirement 11: Regularly test security systems and processes.|
|Maintain an Information Security Policy||Requirement 12: Maintain a policy that addresses information security for all personnel.|
Note: This material is drawn from PCI Compliance & Data Protection for Dummies, Thales eSecurity Limited Edition, by Ian Hermon and Peter Spier.