what are PCI DSS Requirements?

What are the PCI DSS Requirements

 

 

In this article, we will understand the 12 requirements of PCI DSS. let's get started any merchant or service provider that stores processes or transmits cardholder data is required to comply with the payment card industry data security standard the standard specifies 12 requirements which are organized into six control objectives relating to the storage transmission and processing of cardholder data developed and maintained by the payment card industry security standards Council.

 

 The requirements apply to all system components included in or connected to the cardholder data environment that is the people processes and technologies that store process or transmit cardholder data or sensitive authentication data please note without failing to meet the 12 requirements could mean a fine or the termination of credit card processing privileges let's understand the 12 requirements.

 

12 requirements of PCI DSS

 

 1.  Protect your system with firewalls: 

 

 This is important because firewalls control the transmission of data between an organization's trusted internal networks and untrusted external networks as well as the traffic between sensitive areas of the internal networks themselves.

 

 2.  Configure passwords and settings:

 

 The default settings of many commonly used systems are well known, easily exploitable, and often used by criminal hackers to compromise those systems vendor-supplied default settings must be changed and unnecessary default accounts disabled or removed before any system is installed on a network.

 

3. Protect stored cardholder data:

 

 the storage of cardholder data should be kept to a minimum and appropriate data retention and disposal policies procedures and processes should be implemented on certain data such as the full contents of the chip or magnetic stirrer the CVN or the pin should never be stored when data is stored it should be stored securely.

 

4.  Encrypt transmission of cardholder data across open public networks:

 

 One should ensure that strong cryptography and security protocols should be used to safeguard sensitive cardholder data during transmission over open public networks.

 

5. Use and Regularly update antivirus software:  

 

Antivirus software capable of detecting, removing, and protecting against all known types of malware must be used on all systems to protect them from threats and it should be updated regularly.

 

6. Regularly update and patch systems:

 

 Many security vulnerabilities are fixed by patches issued by software vendors organizations should

establish a process to identify security vulnerabilities and rank them according to their level of risk-relevant security patches should be installed within a month of their release to protect against cardholder data compromise.

 

 7. Restrict access to cardholder data:

 

 Business need-to-know documented systems and processes should be put in place to limit access rights to critical data access control systems should deny all access by default and access should be granted on a need-to-know basis and according to the clearly defined job responsibilities of authorized personnel.

 

8.  Assign a unique ID to each person with a computer:

 

 Access the ability to identify individual users not only ensures that system access is limited to those with the proper authorization it also establishes an audit trail that can be analyzed following an incident all users must be assigned a unique ID which must be managed according to specific

guidelines controlled user authentication management should also be implemented two-factor authentication must be used for remote network access.

 

9. Restrict physical access to cardholder data:

 

 Electronic data breaches are not the only source of data loss; physical access to systems should also be limited and monitored using appropriate controls; procedures should be implemented to distinguish between on-site personnel and visitors and physical access to sensitive areas should be destroyed in specific ways when no longer required.

 

10. Track and monitor all access to network resources and cardholder data:

 

 Secure controlled audit trails must therefore be implemented that link halt access to system components with individual users and log their actions an audit trail history should be retained for at least a year with a minimum of three months logs immediately available for analysis logs and security events should be regularly reviewed to identify anomaly or suspicious activity.

 

11. Regularly test security systems and processes:

 

 New vulnerabilities are regularly found and exploited so it is essential that system components processes and custom software are regularly tested documented processes must be implemented

to detect and identify all unauthorized wireless access points on a quarterly basis internal and external network vulnerability scans must be performed by qualified personnel at least quarterly.

 

 12. Maintain a policy that addresses information security to comply with the PCI standard:

 

 Organizations must establish publish maintain and disseminate a security policy which must be reviewed at least annually and updated according to the changing risk environment a risk assessment process must be implemented to identify threats and vulnerabilities a usage policy for critical technologies must be developed organizations must also implement an incident response plan so that they can respond immediately to any system breach I hope the

content is helpful.

Infographic image on 12 PCI DSS Requirements

That's all about PCI DSS Requirements, I hope the content is helpful.

Watch this video How to achieve PCI DSS in 90 Days.