What Are the 13 Requirements for PCI DSS 3.2 2016 Compliance?

Navigating PCI DSS: Understanding the Intent of the Requirements, PCI DSS v3.2 

Build and Maintain a Secure Network

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  • Requirement 5: Use and regularly update anti-virus software
  • Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

  • Requirement 12: Maintain a policy that addresses information security

Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers

There are Six Steps to Achieving PCI Compliance - Facilitated Compliance Management Approach, along with partner programs PeepSafeTM, TripwireTM, Archer eGRCTM, and a range of qualified QSA (Qualified Security Assessors), are ready to step you through every one.

  • Build and Maintain a Secure Network
  • Protect Cardholder Data
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain a Vulnerability Management Program
  • Maintain an Information Security Policy
FCM Maps PCI, CobiT, ISO 27001, NIST, COSO, FISCAM

Facilitated Compliance Management approach is to use the Policy Mapping, Control Self Assessment, CMDB and RunBook methodologies.  For a Robust GRC, we suggest Archer eGRC, Cavirin ARAP, or Metric Stream plus a variety of API integrated network management and monitoring tools.

Customers often worry that their ISMS program, their FedRamp program, or other areas of their regulatory requirements are creating redundant conflicting operations tasks.   We worry too.  That's why we carefully maintain mapping over all of these standards.

PCI32AuditOnceComplyMany