Requirements 1 & 2: Network Security and Secure Configurations
Installing and maintaining network security controls and applying secure configurations to all system components — the technical baseline that protects the CDE from unauthorized network access.
Explore Resource
Requirement 3: Protecting Stored Account Data
The most fundamental PCI DSS obligation — protecting primary account numbers in storage through encryption, truncation, tokenization, or hashing — and the absolute prohibition on storing sensitive authentication data after authorization.
Explore Resource
Requirement 4: Protecting Cardholder Data in Transit
Encrypting transmission of cardholder data across open, public networks — TLS configuration standards, certificate management, and the prohibition on sending unprotected PANs via messaging technologies.
Explore Resource
Requirements 5 & 6: Vulnerability Management
Protecting systems against malware and developing secure systems and software — anti-malware deployment, patch management, secure development practices, and web application firewall requirements for public-facing applications.
Explore Resource
Requirement 7: Restricting Access to System Components and Cardholder Data
The least-privilege and need-to-know access control requirements — role-based access control, access documentation, access review, and the model for authorizing and managing access to the CDE.
Explore Resource
Requirement 8: Identifying Users and Authenticating Access
Unique user IDs, multi-factor authentication for all CDE access, password policy, service account management, and the expanded MFA requirements introduced in PCI DSS v4.0.
Explore Resource
Requirement 9: Restricting Physical Access to Cardholder Data
Physical security controls for the CDE — physical access restrictions to sensitive areas, visitor management, media protection, and Point of Interaction device security against tampering and skimming.
Explore Resource
Requirements 10 & 11: Logging, Monitoring, and Security Testing
Logging all access to system components and cardholder data, protecting log integrity, ASV scanning, annual penetration testing, and the new payment page change detection requirement in PCI DSS v4.0.
Explore Resource
Requirement 12: Supporting Information Security with Organizational Policies
The governance and organizational requirement — information security policy, risk assessment, the Targeted Risk Analysis, security awareness training, vendor management, and incident response planning.
Explore Resource