Select regional store:

The 12 Requirements of the PCI DSS

This page outlines the Payment Card Industry Data Security Standard’s 12 requirements and explains how to achieve and maintain compliance with each of them. The requirements apply to “all system components included in or connected to the cardholder data environment” – i.e. the “people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data”. Note that not all companies need to comply with all 12 requirements: compliance requirements depend on the type and volume of transactions your organisation undertakes, and will be dictated by your acquiring bank.

Compliance with the PCI DSS might seem onerous but it is not solely a matter of legal obligation – its requirements offer strong data security measures that will benefit your organisation. Indeed, the Verizon 2015 PCI Compliance Report found a strong correlation between non-compliance with the PCI DSS and the likelihood of suffering a data breach.

See our main PCI DSS information page for further guidance >>

Latest changes introduced by version 3.2

To review changes to the individual requirements introduced by PCI DSS version 3.2, please review the standard.

The 12 requirements of the PCI DSS are:

Build and maintain a secure network and systems

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Click here to expand.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Click here to expand.

Protect cardholder data

Requirement 3: Protect stored cardholder data
Click here to expand.

Requirement 4: Encrypt transmission of cardholder data across open, public networks
Click here to expand.

Version 3.1 has removed SSL as an example of a secure technology.

Maintain a vulnerability management program

Requirement 5: Protect all systems against malware and regularly update antivirus software or programs
Click here to expand.

Requirement 6: Develop and maintain secure systems and applications
Click here to expand.

Implement strong access control measures
Requirement 7: Restrict access to cardholder data by business need to know
Click here to expand.

Requirement 8: Identify and authenticate access to system components
Click here to expand.

Requirement 9: Restrict physical access to cardholder data
Click here to expand.

Regularly monitor and test networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Click here to expand.

Requirement 11: Regularly test security systems and processes
Click here to expand.

Maintain an information security policy

Requirement 12: Maintain a policy that addresses information security for all personnel
Click here to expand.

PCI DSS solutions

IT Governance sources, publishes and distributes the world’s best selection of PCI DSS resources, and provides a wide range of services to help you meet your PCI DSS obligations. Please download our free PCI DSS Compliance brochure or follow the links below for further information about specific products and services:

QSA-led consultancy services


PCI DSS: A Pocket Guide, fifth edition, click here >>


PCI DSS documentation toolkit

Training courses

PCI DSS Foundation Training Course
PCI DSS Implementation Training Course
PCI DSS Self-Assessment Questionnaire (SAQ) Workshop

Staff awareness

PCI DSS Staff Awareness E-learning course

Penetration testing

PCI penetration testing

Call us on 00 800 48 484 484 or email us to discuss your specific PCI DSS requirements.

This website uses cookies. View our cookie policy