Brief Explanation of PCI DSS Requirements

Ben Pournader
11 min readJul 27, 2018

PCI DSS is an information security standard for organizations and companies that handle credit cards from Visa, MasterCard, American Express, Discover and JCB. PCI DSS is mandated by the card brands and administered by a council called Payment Card Industry Security Standards Council. PCI DSS is designed to put some kind of security safeguards around cardholder data in order to reduce credit card fraud. Validation of compliance is performed annually. It can be done by a Qualified Security Assessor aka QSA or by Self Assessment Questionnaire aka SAQ.

It has 12 requirements (based on the latest version as of today which is version 3.2.1):

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update antivirus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.

Requirement 1.Implement firewall & router configuration standards

  • You should have a firewall at each Internet connection and between any DMZ and the internal network zone.
  • You should restrict inbound and outbound traffic to that which is necessary for the CDE and deny all other traffic.
  • You should install perimeter firewalls between all wireless networks and the cardholder data environment.
  • You should prohibit direct public access between the Internet and any system component in CDE and do not allow unauthorized outbound traffic from CDE to the Internet.
  • You have to place the databases that store cardholder data in an internal network zone, segregated from the DMZ and other untrusted networks.
  • You should have a documented process for testing and approval of changes to firewall and router configurations and ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.
  • You should review firewall and router rule sets at least every six months.
  • You should have a description of roles and assignment of responsibilities ensures that personnel are aware of who is responsible for the security of all network devices.
  • You should have a current network diagram that identifies all connections between the CDE and other networks.
  • You should have a current data-flow diagram that shows all cardholder data flows across systems and networks.
  • Services, protocols and ports that are necessary for business should be clearly documented and organizations should ensure that all other services are disabled or removed.

If insecure services, protocols, or ports are necessary, the risk of using these protocols should be clearly understood, accepted and approved by the organization, the use of the protocol should be justified and finally the security features that allow these protocols to be used securely should be documented and implemented.

  • Install personal firewall software on any computer and laptop that is used to connect to CDE.

Requirement 2. Do not use vendor-supplied defaults for system passwords and other security parameters

  • Always change vendor-supplied default passwords, default wireless encryption keys, passwords and SNMP community strings and remove or disable unnecessary default accounts.
  • Key-exchange protocol for older versions of 802.11x encryption like WEP can not be used.
  • Develop configuration standards (system hardening standards) for all system components and remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
  • Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. i.e. web servers, database servers, and DNS should be implemented on separate servers.

Actually I saw lots of QSAs accept having DNS, DHCP and IAM functionality of Microsoft Active Directory on a single server!

  • Enable only necessary services, protocols, daemons and ports as required for the function of the system.
  • Encrypt all non-console administrative access using strong cryptography. It means that you you can not use telnet, rsh or ftp or even using SSL and TLS 1.0
  • Maintain an inventory of system components that are in scope for PCI DSS.

Requirement 3. Protect stored cardholder data

Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection especially when the data is in transit. If a hacker circumvents other security safeguards the data should be unreadable and unusable for him/her.

  • Do not send unprotected PANs using end-user messaging technologies such as email and instant messaging.
  • Keep cardholder data storage to a minimum by implementing data retention and disposal policies and procedures. Remember, if you don’t need it, don’t store it! These procedures should include at least the following for all cardholder data storage:
  • Limiting data storage amount and retention time to that which is required for legal, regulatory, and business requirements
  • Specific retention requirements for cardholder data
  • Processes for secure deletion of data when no longer needed
  • A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention.
  • Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process. You may need just The cardholder’s name, Primary account number (PAN), Expiration date, Service code
  • Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN.
  • Render PAN unreadable anywhere it is stored in logs or backup media by using of one-way hashes, truncation, index tokens and pads or strong cryptography with associated key-management processes and procedures.
  • If disk encryption is used (instead of file column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms and decryption keys must not be associated with user accounts.
  • Document and implement procedures to mange and protect keys used to secure stored cardholder data.
  • Use strong cryptographic keys and restrict access to cryptographic keys to the fewest number of custodians necessary and Store cryptographic keys in the fewest possible locations.
  • Retire and change your cryptographic keys for the keys that have reached the end of their cryptoperiod i.e. after a defined period of time has passed or after a certain amount of cipher-text has been produced by a given key.
  • Retire the keys when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key component), or keys are suspected of being compromised.

Requirement 4. Encrypt transmission of cardholder data across open, public networks

  • Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks. Open networks includes: Internet, Wireless technologies, Cellular technologies like GSM and satellite communications.
  • Never send unprotected PANs by end-user messaging technologies (for example, email, instant messaging, SMS, chat, etc.)

Requirement 5. Protect all systems against malware and regularly update antivirus software or programs

  • Deploy antivirus software on all systems commonly affected by malicious software (particularly personal computers and servers) if applicable antivirus technology exists.
  • Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management.
  • Make sure that AV protects against all types and forms of malicious software: viruses, Trojans, worms, spyware, adware, and rootkits.
  • Ensure that all AV mechanisms are kept current, perform periodic scans and generate audit logs.

Requirement 6. Develop and maintain secure systems and applications

  • Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking.
  • Install critical security patches within one month of release.
  • Develop internal and external software applications for secure authentication and logging and based on industry standards and/or best practices.
  • Review custom code prior to release to production or customers in order to identify any potential coding vulnerability.
  • Have a change control process to track all changes to system components. This process must include:
  • Separate development/test environments from production environments, and enforce the separation with access controls.
  • Separation of duties between development/test and production environments.
  • Production data (live PANs) are not used for testing or development.
  • Removal of test data and accounts from system components before the system becomes active/goes into production.
  • Change control procedures must include the following:
  • Documentation of impact.
  • Documented change approval by authorized parties.
  • Functionality testing to verify that the change does not adversely impact the security of the system.
  • Back-out procedures.
  • Address common coding vulnerabilities in software development processes by training developers at least annually in up-to-date secure coding techniques, and developing applications based on secure coding guidelines in order to avoid injection flaws, buffer overflow, insecure cryptographic storage, insecure communications, improper error handling, cross-site scripting, improper access control, cross-site request forgery and broken authentication and session management.
  • For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks. You have to do manual or automated application vulnerability security assessment at least annually and after any changes or by using a WAF to detect and prevent web-based attacks to continually check all traffic.

Requirement 7. Restrict access to cardholder data by business need to know

  • Limit access to only those individuals whose job requires such access i.e. set to it deny all unless specifically allowed.
  • Get documented approval by authorized parties specifying required privileges.

Requirement 8. Identify and authenticate access to system components

  • Assign a unique ID to each person. It ensures that each individual is uniquely accountable for their actions and do not use group, shared, or generic IDs, passwords, or other authentication methods.
  • Immediately revoke access for any terminated users.
  • Remove/disable inactive user accounts within 90 days.
  • Manage IDs used by third parties to access, support, or maintain system components via remote access and make sure they are enabled only during the time period needed and get disabled when not in use. Also monitored those IDs when in use.
  • Limit repeated access attempts by locking out the user ID after not more than six attempts.
  • Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.
  • If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.
  • Setup MFA.
  • Verify user identity before modifying any authentication credential in order to avoid social engineering.
  • Passwords must have a minimum length of at least seven characters and must contain both numeric and alphabetic characters.
  • Change user passwords at least once every 90 days.
  • Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.
  • Set passwords for first-time use and upon reset to a unique value for each user, and change immediately after the first use.
  • Document and communicate authentication policies and procedures.
  • Access to the database should meet the following requirements:
  • All user access to, user queries of, and user actions on databases are through programmatic methods.
  • Only database administrators have the ability to directly access or query databases.
  • Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes).

Requirement 9. Restrict physical access to cardholder data

  • Use entry controls to limit and monitor physical access to systems in CDE.
  • Use either video cameras or access control mechanisms to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months.
  • Implement physical and/or logical controls to restrict access to publicly accessible network jacks.
  • Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines.
  • Implement procedures to identify and authorize visitors.
  • Physically secure all media.
  • Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location’s security at least annually.
  • Properly maintain inventory logs of all media and conduct media inventories at least annually.
  • Destroy media when it is no longer needed for business or legal reasons.
  • Maintain an up-to-date list of devices. The list should have make, model of device, location of device and device serial number or other method of unique identification.
  • Periodically inspect device surfaces to detect tampering or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).
  • Provide training for personnel to be aware of attempted tampering or replacement of devices.

Requirement 10. Track and monitor all access to network resources and cardholder data

  • Implement audit trails to link all access to system components to each individual user.
  • Secure audit trails so they cannot be altered.
  • Log all accesses to audit trails.
  • Log all initialization, stopping, or pausing of the audit logs.
  • Using time-synchronization technology, synchronize all critical system clocks and times like NTP.
  • Use FIM or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).
  • Review logs and security events for all system components to identify anomalies or suspicious activity by log harvesting, parsing, and alerting.
  • Review the following at least daily:
  • All security events
  • Logs of all system components that store, process, or transmit CHD and/or SAD
  • Logs of all critical system components
  • Logs of all servers and system components that perform security functions (for example, firewalls, IDS and IPS), authentication servers, e-commerce redirection servers, etc.).
  • Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment.
  • Follow up exceptions and anomalies identified during the review process.
  • Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis.

Requirement 11. Regularly test security systems and processes

  • Implement processes to test for the presence of wireless access points and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.
  • Maintain an inventory of authorized wireless access points.
  • Implement incident response procedures in the event unauthorized wireless access points are detected.
  • Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
  • Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV).
  • Implement a methodology for penetration testing.
  • Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification.
  • Use Use IDS and IPS.
  • Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.
  • Implement a process to respond to any alerts generated by the change-detection solution.

Requirement 12. Maintain a policy that addresses information security for all personnel

  • Establish, publish, maintain, and disseminate a security policy.
  • Review the security policy at least annually and update the policy when the environment changes.
  • Implement a risk-assessment process that:
  • Is performed at least annually and upon significant changes to the environment
  • Identifies critical assets, threats, and vulnerabilities
  • Results in a formal, documented analysis of risk
  • Develop usage policies for critical technologies and define proper use of these technologies.
  • Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
  • Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures and educate personnel upon hire and at least annually.
  • Screen potential personnel prior to hire to minimize the risk of attacks from internal sources.
  • Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
  • Implement an incident response plan. Be prepared to respond immediately to a system breach.
  • Have business recovery and continuity procedures and data backup processes.
  • Designate specific personnel to be available on a 24/7 basis to respond to alerts.

Compensating Controls

Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other, or compensating, controls.



Ben Pournader

Information Security Expert, Cyber Security Engineer, Blogger, Mentor, PCI SME, CISM, CGEIT, CISA, CRISC, RHCSA, MCSE, CCNA, MBA, PMP, CLSSGB