The fastest way to get CISSP Certified. Join our bootcamp
If your organization collects, processes, stores or transmits credit card data, then it needs to be compliant with the Payment Card Industry Data Security Standard (PCI DSS). This is a standard developed by the major payment processors, including Visa and MasterCard.
The PCI DSS includes twelve requirements, split across six categories:
Build and maintain a secure network and systems
1. Install and maintain network security controls – This requirement is all about having sufficient network security controls in place. It involves implementing controls like firewalls and intrusion detection systems (IDSs), configuring them, and controlling access between trusted and untrusted networks.
2. Apply secure configurations to all system components – This essentially involves establishing secure baseline configurations on your systems. It includes things like disabling unnecessary features, changing default passwords, removing old accounts, and other tactics to reduce the attack surface.
Protect account data
3. Protect stored account data – Protecting account data involves a range of practices, including:
- Minimizing the amount of account data that is collected and stored.
- Masking credit card information when the full value isn’t needed.
- Storing secure password hashes, not the user’s password itself.
- Securing cryptographic keys.
4. Protect cardholder data with strong cryptography during transmission over open, public networks – This requirement specifies that account numbers and other critical data must be encrypted when sent over public and untrusted networks. Your organization needs to ensure that it is following cryptographic best practices to minimize the chances of attackers being able to access the data.
Maintain a vulnerability management program
5. Protect all systems and networks from malicious software – To protect systems from malware, you need to be running anti-malware solutions and ensure that they are appropriately configured and updated. Training employees about the dangers of phishing and how to spot an attack is also critical, because this is a key vector for the introduction of malware.
6. Develop and maintain secure systems and software – Promptly patching systems is a critical aspect of keeping them secure. When developing software, you should consider security throughout the entirety of the software development lifecycle.
Implement strong access control measures
7. Restrict access to system components and cardholder data by business need to know – This involves restricting access so that employees can only access the data that they need for their tasks and nothing else.
8. Identify users and authenticate access to system components – When a user attempts to log in, the system needs to identify which unique user they are. The user also must authenticate themselves to prove that they are actually the user that they claim to be. We generally accomplish identification through usernames, while authentication is performed through things like passwords, biometrics, one-time passwords (OTPs) and hardware tokens.
9. Restrict physical access to cardholder data – This requirement stipulates that we must physically keep unauthorized individuals from accessing this sensitive data. We accomplish it by storing cardholder data in protected areas where personnel must authenticate to gain entry.
Regularly monitor and test networks
10. Log and monitor all access to system components and cardholder data – Logging is a critical aspect of security because it allows us to track who may have performed a malicious action and it also acts as a deterrent. If an attacker expects that logging is in place, they know that this increases their chances of being caught.
11. Test security of systems and networks regularly – If we want our systems to remain secure over time, then they need to be frequently tested. New software is constantly being introduced and the threat landscape is always changing, so we must test frequently to ensure that our defences are still functioning appropriately.
Maintain an information security policy
12. Support information security with organizational practices and policies – Security policies establish the security culture of an organization. They also notify employees of what is expected of them. Your organization should have a range of policies for the different aspects of security, as well as an overarching security policy that ties it all together.
The easiest and fastest way to pass the Security+ exam
Build Your Cybersecurity Foundation. Our team has helped thousands of professionals succeed with advanced certifications like CISSP and CCSP. Now we've taken that same proven and tailored it specifically for Security+!
Win a FREE Security+ Exam
Enter to win a $370 Security+ exam and kickstart your cybersecurity career!
Or share this with someone who might be interested.
Act fast—promotion ends July 31, 2025.
Prepare to Pass CCSP: Get the Right CCSP
APP
Studying for the CCSP? Big news! We’ve just added 1,000 brand-new questions to our CCSP Exam Prep App—giving you even more ways to test your knowledge and boost your confidence. Whether you're brushing up on cloud security concepts or getting serious about exam day, the updated app is packed with fresh content that reflects the latest exam trends. Study anytime, anywhere, and get one step closer to becoming CCSP certified.
Free CCSP Data Center Design Mini MasterClass
If you’re interested in cloud security, check out our new FREE Mini MasterClass. It digs into data center design.
It’s based on the CCSP certification requirements, but even if you’re not thinking of getting certified, what you learn is very useful in practice if you ever need to deal with data centers.
