Call us on 03450 21 21 51

Getting to grips with the 12 PCI DSS requirements?
The SRM Blog

Getting to grips with the 12 PCI DSS requirements?

Ian Armstrong

Written by Ian Armstrong

7th August 2020

Share this article

12 PCI DSS requirements

PCI compliance is essential for businesses that are required to maintain payment security and protect customer data. But what exactly is involved in the 12 PCI DSS requirements?

As with so many things in life, planning is best done by following a list. Last month we covered the checklist required for ISO 27001 certification and this month we’re turning our attention to PCI DSS. While the specifics of how to become compliant may vary, the basic premise of both standards is actually quite similar. As I will outline below there are 12 PCI DSS requirements to consider.

As most merchants will already be aware, the Payment Card Industry Data Security Standard – or PCI DSS is a standard mandated by the card brands, but administered by the Payment Card Industry Security Standards Council (PCI SSC) in order to help secure and protect payment card information.

The standard holds businesses accountable for their data protection, providing clear guidelines that must be followed in order to gain compliance.

Data theft and data breaches are, unfortunately, extremely common across all industries. The impact of a breach can be devastating for all parties involves, so the need for PCI compliance has never been greater.

The 12 PCI DSS requirements:

The following provides a brief description of what each of the requirements covers.

1. Install and maintain a firewall configuration to protect cardholder data

Properly configured firewalls protect your card data storage environment, restricting incoming and outgoing network traffic through rules created by your organisation.

2. Do not use vendor-supplied defaults for system passwords and other security parameters

When investing in out-of-the-box items like software that provides security service or POS systems, be sure to update default usernames and passwords to something unique to your business.

3. Protect stored cardholder data

Stored card data must be encrypted using industry-accepted algorithms. What’s more, the encryptions themselves must also be protected, which requires a full understanding of how data moves through your organisation.

4. Encrypt transmission of cardholder data across open, public networks

Understand where you send your cardholder data – processors, backup servers, third parties, outsourced management systems and corporate offices are among the most common options. You’ll then need to protect and encrypt across the transmission process.

5. Use and regularly update antivirus software

Anti-virus software needs to be installed on all systems that could be affected by malware. Be sure to keep your software updated too.

6. Develop and maintain secure systems and applications

Patch all critical components in the card flow transmission journey, including internet browsers, firewalls, app software, databases, POS terminals and operating systems. Ensure that there is an industry standard robust Software Development Life Cycle in place.

7. Restrict access to cardholder data by business need to know

For this step, you’ll need to ensure that critical data can only be accessed by authorised users. A roles-based access control system (RBAC) can assist in this as each required role within the organisation can be set with the most appropriate privileges. This grants access to card data and systems on a need to know basis, limiting the exposure of sensitive data to those with the authority to access it.

8. Assign a unique user ID to each person with computer access

User IDs and passwords should be sufficiently complex. But, even more importantly, they need to be unique. Shared or group passwords put your data at unnecessary risk. Ensure that there is complexity applied to passwords to ensure they are strong and not easily guessed.

9. Restricted physical access to cardholder data

Physically limit access to areas where cardholder data is accepted over the phone or where cardholder data is held. It’s a good idea to document who has access to secure environments and why, as well as creating a list of authorised device users, locations and applications where card holder data is processed.

10. Track and monitor all access to network resources and cardholder data

You must review logs of activity at least daily in order to find errors, anomalies and suspicious activities. You’ll also need a response in place for these anomalies. Log monitoring systems like SIEM can help you oversee network activity in your business.

Note: In 2017, Security Metrics found that failing to comply with this step was the most common contributor to data breaches.

11. Regularly test security systems and processes

These are measures which aim to identify vulnerable areas in your security before an incident takes place. Penetration testing mimics the actions of a hacker in order to find out the easiest way to access your data, allowing you to act proactively rather than reactively.

12. Maintain a policy that addresses information security

The final requirement for PCI compliance involves keeping a record of documentation, policies, procedures, and evidence relating to your business’s security. This includes employee manuals, policies and procedures, third-party agreements, and incident response plans. All such documentation must be maintained and updated as necessary and must always be reviewed on at least an annual basis.


Looking for help to meet the 12 PCI DSS requirements? Our team of experienced information security professionals includes Qualified Security Assessors able to guide you towards quick, efficient compliance. Click here to get in touch with our team and find out how we can help you.

For a full and detailed explanation, please refer to a copy of the latest version of the PCI DSS available at

Back to top