For merchants all over the globe, maintaining PCI compliance is vital.
The PCI Security Standards Council (SSC) is made up of the leaders in the credit card payment space, including American Express, Discover, MasterCard, Visa, and JCB International.
Founded in 2006, the PCI SSC set out with the goal of improving payment security around the globe through the standardization of payment security requirements. This set of standards is known as the PCI Data Security Standard (DSS), working to achieve the PCI SSC’s goals through four strategic pillars:
- Increasing knowledge and participation in the payment industry
- Evolving security standards and validation to support a wider range of payment environments, technologies, and methodologies
- Securing emerging payment channels to support broader payment acceptance
- Increasing standards of alignment and consistency to minimize redundancy and simplify implementations
If you’re new to PCI, make sure to check out our Master Guide on PCI Compliance.
Join us as we take you through everything you need to know about PCI Compliance, including the SSC’s core goals and 12 key requirements.
What is the Purpose of the PCI DSS?
PCI compliance standards are centered around six essential goals, each of which outlines specific principles and activities that make up the 12 necessary requirements to meet PCI compliance.
Here is a quick breakdown of the six principles and their relevant requirements:
- Goal 1: Build and maintain a secure network and systems
- Requirement 1: Install and maintain firewalls to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Goal 2: Protect cardholder data
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
- Goal 3: Maintain a vulnerability management program
- Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
- Requirement 6: Develop and maintain secure systems and applications
- Goal 4: Implement strong access control measures
- Requirement 7: Restrict access to cardholder data by business need to know
- Requirement 8: Identify and authenticate access to system components
- Requirement 9: Restrict physical access to cardholder data
- Goal 5: Regularly monitor and test networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
- Goal 6: Maintain an information security policy
- Requirement 12: Maintain a policy that addresses information security for all personnel
We discuss each of these requirements more in the checklist below — but first, we need to discuss the different PCI compliance levels and where your business fits in.
What You Need to Know About PCI DSS 4.0
PCI DSS is regularly assessed and updated as needed. The most current version is PCI DSS 3.2.1, which was initially released in May 2016 and later updated in June 2018.
However, the PCI DSS 4.0 version is in development. Though this version of the PCI DSS is not yet required, it begins to go into effect on March 31, 2024. Any merchants following PCI compliance will be expected to have their systems and compliance strategies updated by this deadline, with full compliance to the new version expected by March 31, 2025.
Here is an overview of the changes made in the newest version of PCI DSS:
- Requirement 1: Changed from “install and maintain firewalls and routers” to “install and maintain network security controls” to better reflect the broader range of technologies now used in card payments that go beyond the scope of firewalls alone.
- Requirement 2: Changed from a specific focus on “vendor-supplied defaults” to a broader focus on all secure configurations involved in payment security systems.
- Requirement 3: Added “account data” to the “protect cardholder data” requirement.
- Requirement 4: Changed the focus from “encryption” to “strong cryptography” in reference to protecting transmissions of cardholder data.
- Requirement 5: Updated to protect all systems and networks from malware and replaced “anti-virus” with “anti-malware” throughout to support a broader range of technologies used to meet the security objectives traditionally met by antivirus software.
- Requirement 6: Updated requirement to replace “applications” with “software” to better address all components within a system.
- Requirement 7: Updated to include both cardholder data and “system components.”
- Requirement 8: Standardized the terms “authentication factor” and “authentication credential,” as well as removed references to “non-consumer users.”
- Requirement 9: Clarified to identify if physical access to cardholder data applies to CDE, sensitive areas or facilities.
- Requirement 10: Updated requirement to apply to not just cardholder data but also “audit logs” and “system components.” Replaced “audit trails” with “audit logs” throughout.
- Requirement 11: Minor changes to principal requirement title.
- Requirement 12: Updated to reflect a focus on “organizational policies and programs that support information security.”
Visit the PCI DSS v4.0 Resource Hub to find out more about the specific requirement changes.
Before You Begin: Know Your PCI Compliance Level
Along with having 12 key requirements, PCI compliance is also divided into four distinct levels. These levels determine the complexity of compliance for merchants according to how many card transactions are processed annually and which card payment channels are used.
The payment channels covered by PCI compliance include card present, card not present, and eCommerce. Ecommerce transactions tend to have stricter compliance requirements, as there are more moving parts involved in the eCommerce payment process.
Knowing which PCI compliance level you belong to is crucial, as each level comes with its own unique annual reporting requirements in addition to the 12 key compliance requirements.
Regardless of which level you belong to, you will need to complete the following annual and quarterly reporting requirements to remain in good standing with the PCI DSS:
- Complete an annual assessment. Level 1 organizations must use a Qualified Security Assessor (QSA). Level 2-4 organizations may use a self-assessment questionnaire (SAQ).
- Complete quarterly network scans via an approved scanning vendor (ASV)
- Complete an Attestation of Compliance form (all forms can be accessed via the PCI SSC’s online Document Library)
Here is a breakdown of the four levels of PCI compliance and who they apply to:
- Level 4: Level 4 is the lowest level of compliance and applies to merchants processing 1 million or fewer card transactions annually through all channels and no more than 20,000 card transactions through the eCommerce channel specifically.
- Level 3: Level 3 applies to any merchants processing between 20,000 to 1 million card transactions exclusively via the eCommerce channel.
- Level 2: Level 2 applies to any merchants processing between 1 to 6 million card transactions annually across all channels.
- Level 1: Level 1 is the highest level of PCI compliance and applies to merchants processing over 6 million card transactions annually. Instead of an SAQ, Level 1 merchants must complete an annual Report on Compliance (ROC) and a Qualified Security Assessor (QSA).
The 12 Key PCI DSS Requirements: A Comprehensive Checklist
Now that we’ve covered all the basics of PCI compliance, let’s get into the nitty-gritty — aka, the actual tasks you need to perform for each requirement.
For each requirement, it is necessary to maintain thorough documentation of all relevant security policies and operational procedures, as well as ensure all policies are in use and known to all affected parties.
Without further ado, here is your checklist of all essential tasks for meeting each of the 12 compliance requirements, as laid out by the PCI SSC.
1. Install & Maintain a Firewall
A firewall is a network security device designed to monitor all incoming and outgoing traffic on your network. With a firewall properly implemented and maintained, you can create defined security rules that allow or block traffic based on a case-by-case basis.
Here are the key tasks for Requirement 1:
- Establish and implement firewall and router configuration standards. These standards should identify all connections between the cardholder data environment and other networks. Plan to review these configuration standards at least every six months.
- Build the necessary firewall and router configurations for restricting incoming and outgoing traffic from untrusted networks and hosts. These configurations should restrict all traffic except for the specific protocols needed in the cardholder data environment.
- Prohibit direct public access between the Internet and system components within the cardholder data environment.
- Install personal firewall software on any devices with access to the cardholder environment and that connect to the Internet when outside of the business network, including both company and personal devices.
2. Do Not Use Vendor-Supplied Defaults for Password Systems
When you deploy a vendor-supplied payment infrastructure, that product comes with default system settings and passwords. Not changing these defaults is one of the easiest ways to make your system vulnerable to hacks and other exploits, as many default settings and passwords are widely known.
Here are the key tasks for Requirement 2:
- Change all vendor-supplied defaults and disable unnecessary default accounts prior to installing a system within your network.
- Develop configuration standards that address all known security vulnerabilities for all system components. These should be consistent with industry-accepted definitions and updated when new vulnerability issues are identified.
- Use strong cryptography to encrypt all non-console access to your system
- Keep an up-to-date inventory of all system components that relate to PCI DSS.
3. Protect Stored Cardholder Data
Cardholder data is the information that relates to a specific payment card and cardholder. This data can be printed, processed, transmitted, and stored within a system. No matter how the data is being used, it needs to be protected from unauthorized use.
Here are the key tasks for Requirement 3:
- Create a data retention policy and limit the storage and retention time required for this data.
- Do not store sensitive authentication data after authorization and render all sensitive authentication data unrecoverable once authorization is complete.
- Mask PAN when on display so that only authorized personnel may see the complete PAN.
- Render PAN unreadable when in storage
- Document and implement procedures for protecting encryption keys.
- Document and implement key management processes and procedures for cryptographic keys.
4. Encrypt Transmissions of Cardholder Data
Encryption is the process of converting cardholder data into a code that stands in place of this data, protecting it from cybersecurity threats both when in use and when in storage. With encryption, the data is rendered unreadable to any unauthorized parties.
Here are the key tasks for Requirement 4:
- Use strong cryptography and security protocols to protect cardholder data during transmissions on public networks.
- Ensure any wireless networks that are transmitting cardholder data or are connected to the cardholder data environment are using industry-standard strong encryption practices.
- Never send unencrypted PANs through messaging technologies such as email, instant messaging, SMS, chat, etc.
- Maintain thorough documentation of all relevant security policies and operational procedures. Additionally, make sure all policies are in use and known to all affected parties.
5. Protect Systems Against Malware with Regular Software Updates
Both software and malware are ever-evolving, meaning you need to regularly update your software via a vulnerability management program. This type of program systemically and continuously monitors for system weaknesses and potential exploitations.
Here are the key tasks for Requirement 5:
- Deploy anti-virus software on all systems that are commonly affected by malware (such as personal computers and servers) and perform periodic evaluations on malware threats to less commonly affected systems.
- Keep all anti-virus mechanisms current, perform periodic scans, and generate audit logs.
- Ensure anti-virus mechanisms can actively run and cannot be disabled by non-authorized users.
6. Develop & Maintain Secure Systems & Applications
All of your security systems and applications need to be protected against cybersecurity threats and vulnerabilities — with this protection oftentimes coming in the form of vendor-provided security patches. For this requirement, you must ensure all critical systems are up-to-date with the most recent patches and all less-critical systems are updated as soon as possible.
Here are the key tasks for Requirement 6:
- Establish a process for identifying security vulnerabilities and ranking these vulnerabilities on a high, medium, or low scale.
- Install applicable vendor-supplied security patches to relevant system components and software.
- Develop both internal and external applications that include web-based administrative access to applications and incorporate information security throughout the development cycle.
- For all changes to system components, follow the necessary change control processes and procedures. Double-check that all PCI requirements are implemented in new or changed systems.
- Train your developers in secure coding techniques and secure coding guidelines.
- Keep all public-facing applications protected from known attacks by performing application vulnerability assessments at least once per year. This task can also be achieved by implementing an automated solution for detecting and preventing web-based attacks.
7. Restrict Access to Cardholder Data on a Need-to-Know Basis
Restricting access to cardholder data on a need-to-know basis at the business level requires strong access control measures. These measures should govern both the physical and technical access to cardholder data and the cardholder data environment. These access limitations should be based on job responsibilities, with access to data further limited by what is necessary to complete a specific job.
Here are the key tasks for Requirement 7:
- Limit access to system components and the cardholder data environment to only the employees whose job necessitates this access.
- Establish an access control system that restricts access based on each user’s need to know. This access control system should be set to “deny all” with specific settings for allowances.
8. Identify & Authenticate All Access to Network Systems
To assign access to various system components, you must first assign a unique identification (ID) number to each authorized individual. These unique IDs ensure that all actions taken using cardholder data within the system can be traced to an exact known user.
Here are the key tasks for Requirement 8:
- Define and implement policies and procedures that necessitate the use of ID management for all users and administrators accessing the system. Each user should be assigned a unique username before being granted access to system components or cardholder data.
- Employ one of the following to authenticate all users — a password, a passphrase, a token device, a smart card, or a biometric authentication measure. All should be used in tandem with a strong authentication method and all passwords and passphrases should be encrypted.
- Secure individual non-console access via multi-factor authentication.
- Develop, implement, and communicate authentication policies to all users.
- Never share group, shared, or generic IDs, or any other authentication methods. If you have a service provider with access to customer environments, this provider needs to have a unique authentication credential for each environment they operate in.
- Use of other authentication methods must be assigned to individual accounts, such as smart cards and physical security tokens.
- Restrict access to all databases containing cardholder data. Only database administrators should have direct or query access to these databases.
9. Restrict Physical Access to Cardholder Data
For any physical components that house cardholder data, access to these physical systems must be limited to authorized on-site personnel. Visitors may be granted access on a limited and need to know basis.
Here are the key tasks for Requirement 9:
- Use appropriate facility controls that both limit and monitor physical access to system components.
- Develop clear procedures for distinguishing between onsite personnel and visitors (such as assigning ID badges).
- Maintain control over physical access to sensitive areas by authorizing access based on each person’s individual job function. Access should be revoked immediately if an authorized person is terminated or otherwise leaves the company.
- Authorize, monitor, and log all visitors who access physical system components
- Physically secure all media (any paper or electronic media containing cardholder data) and store backup media in a secure, off-site location.
- Maintain strict control over the internal or external distribution of media.
- Maintain strict control over the storage and accessibility of media.
- Destroy media when it is no longer needed.
- Protect all devices that capture payment and cardholder data via direct physical interactions, such as card swipes and chip readers. POS devices should be periodically inspected for signs of tampering and all personnel handling POS devices should be trained on identifying suspicious activity.
10. Track & Monitor All Access to Network Resources and Cardholder Data
Your networks are responsible for connecting all endpoints in your payment infrastructure. To keep these networks safe, you must regularly track, monitor, and test these networks and their related devices for any vulnerabilities or cybersecurity threats.
Here are the key tasks for Requirement 10:
- Implement audit trails that link all system access to individual users.
- Implement automated audit trails for system components that reconstruct the following events — all individual access, all actions taken by individuals with access privileges, all access to audit trails, all invalid login attempts, use of or changes to authentication and identification mechanisms, all account changes or deletions, all initializing or stopping of audit logs, all creation or deletion of system-level objects.
- Record audit trails for each event in each system component.
- Use time synchronization technology to keep all critical system clocks aligned.
- Secure audit trails in a way that prevents them from being altered.
- Review your logs and security events regularly — critical log reviews should be performed daily.
- Keep up to one year’s worth of audit trail history. Additionally, keep the most recent three months of history readily available for review.
- Ensure service providers have implemented a process for timely detection and reporting of failures in your critical security control systems.
11. Regularly Test Security Processes & Systems
Requirement 11 goes hand-in-hand with Requirement 10, necessitating regular monitoring and testing of all security systems and processes. Testing security controls is particularly important following any changes to the system environment, such as changed system configurations.
Here are the key tasks for Requirement 11:
- Implement test processes and maintain an up-to-date inventory for wireless access points. All wireless access points should be detected and identified on a quarterly basis.
- Run internal and external vulnerability scans at least quarterly or after major network changes.
- Develop and implement a method for penetration testing annually or after significant upgrades or modifications.
- Leverage network intrusion detection and intrusion prevention techniques to inhibit intrusions. Additionally, all traffic at the perimeter and in critical points within the cardholder data environment. Report any suspicious activity or suspected compromises to the relevant personnel.
- Deploy a change detection mechanism to alert personnel to unauthorized modifications of critical files belonging to the system, configurations, or content. Software should be configured to perform critical file comparisons weekly.
12. Maintain an Information Security Policy for All Personnel
The 12th and final requirement of PCI compliance is to maintain a strong security policy that is known across the organization and sets clear expectations for employees.
Here are the key tasks for Requirement 12:
- Establish, publish, maintain, and disseminate a security policy with annual reviews and updates following environment changes.
- Implement a risk assessment process that is performed annually or after significant changes.
- Develop clear usage policies for critical technologies, such as laptops, tablets, and handheld devices.
- Ensure your security policy and procedures clearly define the security responsibilities for all personnel.
- Assign individual and team information security responsibilities.
- Implement a formal security awareness program.
- Screen potential new hires prior to onboarding, with checks on each person’s employment history, criminal record, credit history, and references.
- Maintain and implement policies for managing service providers with access to cardholder data.
- Implement a detailed incident response plan and be prepared to respond immediately in the event of a system breach.
Experience Stress-Free & Hands-Off PCI Compliance with Spreedly
For merchants and merchant aggregators, PCI compliance can be a major hurdle that drains not just your budget but also your talent and resources. To keep your team focused on growth and innovation, partner with Spreedly for all of your payment needs.
At Spreedly, our payment orchestration solution is maintained at Level 1 PCI compliance. Plus, Spreedly is partnered with other participating organizations to collaborate with the PCI SSC in securing payment data worldwide and evolving the PCI DSS.
Contact us today to begin simplifying your approach to PCI compliance.