With organizational and technical requirements, the PCI framework gives companies a strong foundation for information security, including access control measures, vulnerability management guidelines, and encryption standards. But for many businesses, PCI requirements are a challenge.
In 2022, only about 30% of organizations achieved full compliance, and the number dropped to fewer than 15% in 2023. If your company is struggling to implement PCI DSS controls, the first step is to understand the 12 main PCI compliance requirements.
Understanding PCI Requirements in Version 4.0
PCI DSS requirements protect cardholder data and keep payment account information secure. To become PCI compliant, your organization must follow six broad objectives and 12 primary requirements. These standards cover data security best practices for any business that stores, processes, or transmits payment card information.
Each of the 12 PCI requirements has several layers of subsections that clarify necessary processes and controls. Auditors take these detailed instructions into account for testing.
Following the 12 Requirements for PCI DSS Compliance
The 4.0 version of the 12 PCI DSS requirements went into effect on March 31, 2025. If your company has been using version 3.2.1 for compliance, it’s time to update. The new version contains many security improvements, such as changes to PCI DSS password requirements.
PCI Requirement 1: Install and Maintain Network Security Controls
Network security controls are essential to safeguard sensitive data and prevent unauthorized access to the cardholder data environment. Security controls must fit your organization’s network, users, and data storage systems.
The PCI DSS defines five key sections for compliance:
- 1.1: The organization has clearly defined NSCs, and personnel understand them.
- 1.2: The NSCs are correctly configured and maintained.
- 1.3: These controls successfully restrict access to cardholder data.
- 1.4: All connections between trusted and untrusted networks are carefully controlled.
- 1.5: Your controls effectively mitigate the risks from devices that connect to the network.
In simple terms, network security means controlling who can access your network and what data they can see. Robust security measures are the first line of defense against bad actors. NSCs include:
- Physical firewalls
- Cloud-based security platforms
- Virtual security software
- Application containerization
- Network segmentation practices
Effective NSCs block access to untrusted users from outside the network. They also control traffic within the network. They’re like the fencing, walls, and doors that keep an office building secure, both inside and out.
PCI Requirement 2: Apply Secure Configurations to All System Components
A network is only as secure as its weakest link. This PCI requirement emphasizes the importance of properly configuring network components.
According to PCI DSS, system components are “network devices, servers, computing devices, virtual components, or software … that could impact the security of cardholder data and/or sensitive authentication data.” Configuration mistakes can expose passwords or allow cyberattackers to obtain administrator privileges.
Regularly perform risk assessments of system components. Identify potential vulnerabilities and use configuration settings that mitigate the risks.
Reduce your attack surface by keeping connected devices or corporate software to a minimum. Eliminate unused permissions, login credentials, and user accounts ASAP.
PCI Requirement 3: Protect Stored Account Data
PCI DSS compliance requires organizations that process cardholder data to use strong technological and organizational safeguards. A critical requirement is to avoid storing sensitive authentication data once any transaction is complete, including PINs, magnetic stripe or chip data, and card security codes. Storing SAD anywhere on your network is a major security violation that can carry significant PCI DSS penalties.
Even general account data, such as names and billing addresses, should be encrypted when stored. Cryptographic keys, hashing, tokenization, and masking provide an additional layer of security in the event of a breach. Unless the intruder also has the encryption key, sensitive data is practically impossible to access.
PCI Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
Cybersecurity best practices for payment processing include encrypting sensitive data in transit with 128-bit AES or an equivalent standard. Encryption is especially vital for any transactions involving primary account numbers (e.g., credit card numbers, debit cards, and card-not-present accounts).
Organizations must either encrypt PAN or use an encrypted session to transmit the data, or both. For example, e-commerce transactions can use an end-to-end encryption system or require the user to log into your secure platform.
PCI Requirement 5: Protect All Systems and Networks From Malicious Software
Many organizations install antivirus software packages, but to meet PCI requirements, these anti-malware platforms must be robust, effective, trustworthy, and appropriate for the size of your organization. Your network must have strong protection against viruses, spyware, malicious code, ransomware, dangerous scripts, and other types of malware.
A qualified professional must manage software updates. The program’s configuration should prevent unauthorized individuals from disabling updates or security features, even internal users. Similarly, corporate email settings should have anti-phishing protections, such as blocking suspicious IP addresses and scanning all attachments.
PCI Requirement 6: Develop and Maintain Secure Systems and Applications
To successfully protect sensitive data, your organization must have a cohesive framework of policies, processes, and security controls for managing vulnerabilities. This requirement focuses on developing a comprehensive list of vulnerabilities, identifying new threats quickly, and outlining preventative actions or mitigating strategies. You should also have a well-defined program for applying security patches and application updates promptly.
PCI Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need To Know
Following the principle of least privilege is one of the best ways to reduce the risk of cardholder data breaches, both from outside the network and insider threats. POLP means only granting users the minimum privileges necessary for their role. Non-admin employees can use software, for example, but not change any settings.
“Need to know” restrictions also mean limiting access to information. HR or IT employees don’t need to see any cardholder data. Low-level workers should not have access to sensitive files. Permissions for external consultants should be customized on a need-only basis.
PCI Requirement 8: Identify Users and Authenticate Access to System Components
Identification and authentication processes are vital parts of cybersecurity for all PCI DSS levels. They allow your team to control access to sensitive data and verify how individual users interact with the information. Here are a few ways to be PCI compliant:
- Give each employee or user a unique ID, and track account actions
- Only allow authorized administrators to create new accounts or manage account permissions
- Prohibit sharing accounts and credentials, and enforce them
- Require third-party service providers to have unique IDs and credentials for your business
- Enforce strong authentication with mandatory multifactor authentication
PCI DSS password guidelines have shifted to prioritizing length over complexity. Organizations are encouraged to use password managers, provided they are from reputable sources. MFA should involve a physical key or device, not an email code.
PCI Requirement 9: Restrict Physical Access to Cardholder Data
Hardware that stores cardholder data onsite is also within the scope of PCI requirements. Protecting sensitive information requires controlling who can physically access servers, hard drives, computers, and other network devices in the cardholder data environment. Examples of physical access control include user-specific keycards, security guards, and systems that log each entry into restricted areas.
PCI Requirement 10: Log and Monitor All Access to System Components and Cardholder Data
Audit logs play both a defensive and offensive role in cybersecurity. By keeping logs of user activities, access to data, system changes, and device traffic, it’s possible to detect suspicious actions and respond quickly. PCI requirement 10 helps IT teams to block potentially harmful traffic, catch insider threats before they steal data, or correct vulnerabilities.
Logs are especially important after a breach. They reveal which systems and files were compromised. To comply with this PCI requirement, the security settings of audit logs must prevent unauthorized deletion or modification. Periodic log backups to secure devices further increase security.
PCI Requirement 11: Test Security of Systems and Networks Regularly
Any cybersecurity framework requires a strong risk management program, and PCI DSS is no exception. Compliance with PCI requirement 11 involves periodically assessing, prioritizing, and taking appropriate action on internal and external risks.
Best practices include continuous monitoring of CDE systems and networks, especially in critical security areas like wireless access points. Organizations need a consistent program of independent network vulnerability scans (usually quarterly) and penetration testing (annually), along with prompt corrective actions for detected issues.
PCI Requirement 12: Support Information Security With Organizational Policies and Programs
Good governance is involved in each PCI requirement, with roles, responsibilities, policies, and specific controls. PCI requirement 12 focuses on creating an organization-wide information security policy that clearly explains to all personnel what they need to do and avoid. A successful program must include PCI compliance audits, vendor management, cybersecurity awareness training, and personnel evaluations.
Implementing PCI DSS Requirements Successfully
Payment processors and gateways, SaaS developers, fintech companies, cloud service providers, and financial enterprises often have heavy PCI DSS requirements. A trusted compliance platform like Compyl can simultaneously improve and simplify your PCI DSS activities by enhancing your real-time management capabilities.
Compyl helps your team map in-scope PCI requirements to your network infrastructure and cybersecurity program. You can customize the necessary controls, automate workflows, and track compliance at a granular level. Discover the benefits of a state-of-the-art PCI compliance solution. Request a demo today.
