As we recently announced, Strike Graph now supports PCI DSS. But a lot of people may still be wondering, what exactly does PCI DSS entail, and what are the requirements?

Therefore, we thought we’d use this post to go a bit more in-depth and explore the 12 PCI DSS requirements, as well as how they apply to your business.

Let’s dive in.

12 PCI DSS Requirements

All companies that accept or process debit or credit card transactions must meet these 12 requirements for maintaining a secure network and handling cardholder data in order to comply with PCI DSS. These requirements correspond with the six goals of the standard.

Goal: Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data.

This ensures merchants and service providers maintain a secure network by properly configuring a firewall (and routers if applicable) to protect your card data environment.

How does this work? Firewalls provide the first line of protection for your network by restricting incoming and outgoing network traffic through rules and criteria configured by your company. You can achieve this by establishing firewalls and router standards, thereby creating a standardized process for rules that allow or deny access to the network.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

This ensures your company’s systems—including applications, servers, firewalls, wireless access points, network devices, etc.—are not using the factory default setting for usernames, passwords, and other configuration parameters.

Per this requirement, you must also maintain an inventory of all systems, including their updated configuration procedures, which will need to be followed every time a new system is introduced into the IT infrastructure.

Goal: Protect Cardholder Data

3. Protect stored cardholder data.

The most important requirement, this states that you must first know all the data you are going to store along with its location and retention period before you collect it. From there, all cardholder data must be either encrypted using industry-accepted algorithms, truncated, tokenized, or hashed.

This requirement also ensures you know how to create a strong PCI DSS encryption key management process, and includes rules for how primary account numbers should be displayed.

4. Encrypt transmission of cardholder data across open, public networks.

This states your organization must 1. Secure card data when it is transmitted over an open or public network, and 2. Know where you are going to send/receive the card data to/from.

This requirement exists because encrypting cardholder data prior to transmitting it, using a secure version of transmission protocols, can limit the likelihood of data becoming compromised.

Goal: Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs.

This ensures your company is protected against all types of malware that can affect systems by having antivirus or anti-malware solutions on laptops, workstations, mobile devices, etc. 

Ensure these solutions are always active, using the latest signatures, generating auditable logs, and are updated on a regular basis to detect known malware.

6. Develop and maintain secure systems and applications.

This requirement states that organizations must define and implement a process that allows them to identify and classify the risk of security vulnerabilities through reliable, external sources.

This includes deploying critical patches in the card data environment, including databases, operating systems, POS terminals, application software, firewalls, routers, switches, and more. Additionally, your business will need to define and implement a development process that includes security requirements in all phases of development.

Goal: Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know.

Merchants and service providers must implement strong access control measures, allowing or denying access to cardholder data systems via role-based access control (RBAC).

Your organization must grant access to card data and systems on a need-to-know basis, documenting all users who will need access to the card data environment, as well as their:

• Roles
• Role definitions
• Current privilege level
• Expected privilege level
• Data resources for each user to perform operations on card data

8. Assign a unique ID to each person with computer access.

Instead of using shared or group usernames and passwords, ensure every authorized user has a unique identifier and password.

Additionally, for remote access, two-factor authorization is required. Both measures ensure all activity can be traced to a known user and accountability can be maintained.

9. Restrict physical access to cardholder data.

This ensures the protection of physical access to locations (e.g. data centers), systems, and all removable or portable media with cardholder data. This requires the use of:

• Video cameras/electronic access control to monitor entry and exit doors
• Recordings or access logs of personnel movement
• An access process that distinguishes between authorized visitors and employees

Goal: Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data.

This states that: 1. All of your systems must have the correct audit policy set, 2. You must send the logs to a centralized syslog server, and 3. These logs must be reviewed for anomalies and suspicious activities at least daily.

Additionally, audit trail records must include time synchronization, audit data must be secured, and data must be maintained for a period no shorter than a year.

11. Regularly test security systems and processes.

This requirement ensures that all systems and processes are tested on a frequent basis in order to ensure security is maintained. In addition to weekly file monitoring, you must:

• Complete a wireless analyser scan to detect and identify all authorized and unauthorized wireless access points on a quarterly basis.
• Have a PCI Approved Scanning Vendor (ASV) scan all external IPs and domains exposed in the CDE at least quarterly.
• Conduct an internal vulnerability scan at least quarterly.
• Carry out a network penetration test and application penetration test at least yearly or after any significant change has been made to your system.

Goal: Maintain an Information Security Policy

12. Maintain a policy that addresses information security for employees and contractors.

Your organization’s information security policy must be reviewed and disseminated to all the employees, vendors, and/or contractors at least yearly. In addition, you must perform:

1. 1. User awareness training
2. 2. Employee background checks
3. 3. Incident management
4. 4. An annual formal risk assessment that identifies critical assets, threats, and vulnerabilities

Are You Ready for PCI DSS Compliance?

While achieving PCI DSS compliance can be complex, we’re here to help with our streamlined certification process. Strike Graph will:

1. 1. Use our risk assessment tool to identify your existing PCI DSS cybersecurity controls
2. 2. Provide a gap assessment
3. 3. Arrange an audit if needed
4. 4. Get your PCI DSS certification