What are the 12 requirements of PCI DSS Compliance?

by michael bedwell Digital Marketer

Awareness and education of the policy Security management process Assessment and risk analysis Self-assessment Maintenance, monitoring and testing Remediation Data protection Network security System development Life cycle change procedures Access control Monitoring physical access Non-technical controls

Protection of cardholder data is a major concern for every company that handles credit cards. Under the Payment Card Industry Data Security Standard (PCI DSS), companies like yours are required to maintain a secure environment.

What are the 12 requirements of PCI DSS?

PCI DSS is a set of security standards for all organizations that process, store or transmit credit card data. It lays down 12 specific requirements for creating a secure payment system, ranging from network security to data protection.

The 12 requirements of PCI DSS are as follows:

1) Build and maintain a secure network,

2) Protect cardholder data,

3) Maintain a vulnerability management program,

4) Implement strong access control measures,

5) Regularly monitor and test networks,

6) Maintain an information security policy,

7) Develop and maintain secure systems and applications,

8) Restrict access to cardholder data by business need-to-know,

9) Assign a unique ID to each person with computer access,

10) Restrict physical access to cardholder data,

11) Track and monitor all access to network resources and cardholder data,

12) Regularly test security systems and processes.

PCI DSS is not a simple checklist of various security controls like firewalls and encryption that you may be already aware of. The PCI DSS certification requires serious efforts from your end to ensure that all aspects of your environment, e.g., network configuration, software patching and segregation of networks are taken care off. For example, if you have a firewall protecting your Visa card information, the configuration should be reviewed. If you lack an intrusion detection system (IDS), appropriate controls must be put in place before you can even think of going through the PCI DSS compliance process. Even simple things like restricting physical access to systems or sensitive areas are mandatory requirements under PCI DSS.

How do I achieve PCI DSS compliance?

PCI DSS is a complex set of security standards. It will take dedicated efforts from all employees to ensure that you go through the certification process successfully without any issues. The key areas that need your full attention are:

• Awareness and training on PCI DSS,

• A documented PCI DSS compliance program,

• Adjusted network configuration,

• Appropriate access control mechanisms in place,

• Segregation of cardholder data,

• Data protection through encryption and strong passwords.

Your organization must provide formal security training to all employees on a regular basis so that they understand how they impact the security of cardholder data. You also need a comprehensive security program that includes the 12 requirements of PCI DSS. The next step is to make sure all systems and applications are updated, patched and configured in line with PCI DSS guidelines. It is recommended that you implement strong access control mechanisms for network segments hosting cardholder data or containing significant business information. The network should be segregated with strict enforcements in place to restrict access only to authorized users.