PCI DSS Requirements

Payment Card Industry Data Security Standards

Requirements and Security Assessment Procedures

(version 3.1 — April, 2015)

PCI Data Security Standard — High Level Overview
6 Goals	12 Requirements
Build and Maintain a Secure Network and Systems	1Install and maintain a firewall configuration to protect cardholder data
Build and Maintain a Secure Network and Systems	2Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data	3Protect stored cardholder data
Protect Cardholder Data	4Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program	5Protect all systems against malware and regularly update anti-virus software or programs
Maintain a Vulnerability Management Program	6Develop and maintain secure systems and applications
Implement Strong Access Control Measures	7Restrict access to cardholder data by business need to know
	8Identify and authenticate access to system components
	9Restrict physical access to cardholder data
Regularly Monitor and Test Networks	10Track and monitor all access to network resources and cardholder data
Regularly Monitor and Test Networks	11Regularly test security systems and processes
Maintain an Information Security Policy	12Maintain a policy that addresses information security for all personnel

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). The following chart is a high-level overview of the 12 PCI DSS requirements.

This document, PCI Data Security Standard Requirements and Security Assessment Procedures, combines the 12 PCI DSS requirements and corresponding testing procedures into a security assessment tool. It is designed for use during PCI DSS compliance assessments as part of an entity’s validation process. The requirement sections (links above) provide detailed guidelines and best practices to assist entities prepare for, conduct, and report the results of a PCI DSS assessment.

PCI DSS comprises a minimum set of requirements for protecting account data, and may be enhanced by additional controls and practices to further mitigate risks, as well as local, regional and sector laws and regulations. Additionally, legislation or regulatory requirements may require specific protection of personal information or other data elements (for example, cardholder name). PCI DSS does not supersede local or regional laws, government regulations, or other legal requirements.

Links to PCI DSS organization website

Use this link to download "Requirements and Security Assessment Procedures" (v3-1 April 2015)
Download the pdf

Use this link to visit the PCI Security Standards Council web site:
Visit the site

Use this link to view the PCI Security Standards Council document library:
Find support documents

This website is a recreation of the pdf document "Payment Card Industry (PCI) Data Security Standard, v3.1" published April, 2015.
www.pcisecuritystandards.org
© 2006-2025 PCI Security Standards Council, LLC. All Rights Reserved.