PCI DSS Requirements
The twelve PCI DSS requirements catalog best practices that businesses should follow when handling customers’ payment cards or payment card information. They are broken down into six different categories:
Build and Maintain a Secure Network
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Requirement 7: Restrict access to cardholder data by business need-to-know
- Requirement 8: Assign a unique ID to each person with computer access
- Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
- Requirement 12: Maintain a policy that addresses information security
The first version of PCI DSS was introduced in September 2006. At this time, the PCI Security Standards Council (PCI SSC) established a continual two year cycle of review and revision of PCI DSS. This fall, the PCI SSC released PCI DSS Version 2.0, which included existing requirement clarifications, additional guidance and minor changes to evolving PCI DSS requirements. Any merchant submitting a report of PCI DSS compliance after December 31, 2010 must comply with PCI DSS Version 2.0.
Merchants fall under four categories of PCI compliance, depending on the number of transactions they process each year, and whether those transactions are performed from a brick and mortar location or over the Internet. All merchants that process credit cards—whether small or large—must be PCI compliant.