WHAT ARE THE 12 REQUIREMENTS OF PCI DSS?

What are the 12 requirements of PCI DSS?

What are the 12 requirements of PCI DSS?

Blog Article

What are the 12 requirements of PCI DSS?


Beyond a simple security configuration, PCI DSS certification necessitates compliance with 12 particular requirements established by the PCI Security Standards Council (PCI SSC). These criteria, which range from network protection to data access controls, are spread among six major security goals. To successfully and economically manage the intricacies of compliance, many firms opt to collaborate with professional PCI DSS consulting services. Getting PCI DSS certification in Chennai   might be intimidating, especially if this is the first time your business has dealt with customer payment information.

Each of the six PCI DSS goals has particular requirements that are part of PCI SSC. These 12 conditions must be fulfilled by organizations to be PCI DSS-compliant:

  • Install and maintain a firewall to protect cardholder data environments : This first need makes sure that merchants and service providers maintain a secure network by properly configuring routers and firewalls, if necessary. Firewalls with the right configuration safeguard the environment of your card data. With rules and criteria set up by your company, firewalls limit both inbound and outbound network traffic.

  • Don't use vendor-supplied default passwords and other security parameters: Its main goal is to make your company's systems—servers, network equipment, apps, firewalls, wireless access points, etc.—harder. Usernames, passwords, and other unsafe configuration options are factory defaults on the majority of devices and operating systems. The majority of these default identities and passwords are even posted online, making them easy to figure out.

  • Protect stored cardholder data : This is the PCI standard's most crucial criterion. In accordance with criterion 3, you must first identify all of the data you plan to store, as well as its location and duration of retention. All of this cardholder data needs to be either hashed (SHA 256, PBKDF2), truncated, tokenized, or encrypted using industry-accepted techniques (such as AES-256, RSA 2048). This criterion discusses a robust PCI DSS encryption key management procedure in addition to card data encryption.



  • Encrypt payment card data transmitted across open, public networks : As with requirement 3, this requires that card data be secured when it is sent over a public or open network (such as the Internet, 802.11, Bluetooth, GSM, CDMA, or GPRS). You need to be aware of where the card data will be sent and received. In order to conduct transactions, the card data is primarily sent to the processor, payment gateway, etc.

  • Use and regularly update antivirus software : The protection of systems from all forms of malware is the main goal of this criterion. Antivirus software must be installed on all systems, including workstations, laptops, and mobile devices that staff members may use to access the system locally and remotely. To identify known malware, you must make sure that your antivirus or anti-malware software is updated often. Keeping an anti-malware tool up to date will stop systems from getting attacked with known malware.

  • Develop and maintain secure systems and applications : Define and put into place a procedure that makes it possible to use trustworthy outside sources to determine and categorize the risk of security flaws in the PCI DSS environment. Organizations must implement essential fixes on schedule in order to reduce the possibility of exploits. All systems inside the card data environment should be patched, including:Systems of operation, Switches, routers, and firewalls, Databases for application software, POS systems

  • Restrict access to cardholder data to employees with a business need because their jobs require access : Service providers and merchants must be able to grant or deny access to cardholder data systems in order to put in place robust access control procedures. Role-based access control (RBAC), which allows access to card data and systems only to those who need to know, is the main focus of this criterion.



  • Assign a unique ID to each person with data or computer access : Using shared or group user credentials is not encouraged. Passwords must be sufficiently complicated and each authorized user must have an independent identity. This guarantees that accountability can be upheld and that any access to cardholder data may be linked to a known user. Two-factor authentication is necessary for all non-console administrative access (remote access).

  • Restrict who has physical access to cardholder data : The protection of physical access to systems containing cardholder data is the main objective of this criterion. Without physical access controls, unauthorized individuals might be able to enter the installation and steal, disable, disrupt, or destroy cardholder data and important systems.

  • Track and monitor all access to network resources and cardholder data : Card data theft is made easier for cybercriminals by flaws in both wireless and physical networks. According to this criterion, all systems must send their logs to a centralized syslog server and have the appropriate audit policy set. To check for irregularities and questionable activity, these logs must be examined at least once every day.

  • Regularly test security systems and processes : Vulnerabilities are being discovered continually by malicious individuals and researchers Therefore, all systems and processes must be tested on a frequent basis to ensure that security is maintained.

  • Maintain an information security policy: The implementation and upkeep of an information security policy for all employees and other pertinent parties is the primary objective of the PCI DSS, and it is the last prerequisite for PCI compliance. At least once a year, the information security policy needs to be reviewed and distributed to all staff members, vendors, and contractors. Users are required to read and accept the policy.


Any firm that handles card payments must meet these 12 requirements, even if the road to PCI DSS certification  might be complicated. Using expert PCI DSS services in chennai  and consulting can assist minimize risk, expedite compliance, and prevent significant fines linked to non-compliance. Whether your company is based in Chennai or operates internationally, working with a certified  PCI DSS consultant in Chennai  guarantees that you have the resources, know-how, and assistance you need to maintain security and compliance.

Report this page