The PCI DSS has 12 requirements, organised into six sections. Please note that this pocket guide is no substitute for obtaining your own copy of the Standard, which is freely downloadable from www.pcisecuritystandards.org/security_standards/documents.php.
PCI DSS version 1.0 was originally published in January 2005, with subsequent updates to version 1.1 in September 2006 and version 1.2 in October 2008. PCI DSS v2.0 was released on 28 October 2010, and most recently v3.0 was published on 7 November 2013.
With the release of PCI DSS v2.0, the PCI Security Standards Council introduced a new three-year lifecycle for standards development. This ensures a gradual and phased introduction of new versions, and helps to prevent organisations from becoming non-compliant when a new Standard is published.
Version 3.0 of PCI DSS introduces more flexibility in implementing the requirements, and increases the focus on education, awareness and security as a shared responsibility.
The 12 PCI DSS requirements, and the six principles in which those requirements are grouped, are as follows:
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.
Requirement 6: Develop and maintain secure systems and applications.
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Identify and authenticate access to system components.
Requirement 9: Restrict physical access to cardholder data.
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Requirement 12: Maintain a policy that addresses information security for all personnel.