PCI DSS was originally developed by MasterCard and Visa through an alignment of security requirements contained in their respective programs to secure ecommerce: the Site Data Protection for MasterCard and the Cardholder Information Security Plan (CISP) for VISA US.

PCI DSS adopts a top down approach. It starts with six high level "goals": a confusing terminology as the unique goal of the program is to protect cardholder data while transmitted, processed and stored by an entity. I would prefer calling them sections or domains. Those “goals” are then mapped against 12 requirements that each subdivide into more granular requirements. Each requirement comes with a set of corresponding testing procedures.

So thinking that PCI DSS compliance is just about implementing 12 requirements is inaccurate. There are more than 200 specific requirements.

The schema below depicts the combination of the two first layers of requirements:


The six goals, sections or domains are:

G1: Build and maintain a secure network

G2: Protect cardholder data

G3: Maintain a vulnerability management program

G4: Implement strong access control

G5: Regularly monitor and test networks

G6: Maintain an information security policy

High level requirements

The 12 high level requirements are:

R1: Install and maintain a firewall configuration to protect cardholder data

R2: Don't use vendor-supplied defaults for system passwords and other security parameters

R3: Protect stored cardholder data

R4: Encrypt transmission of cardholder data across open, public networks

R5: Use and regularly update anti-virus software

R6: Develop and maintain secure systems and applications

R7: Restrict access to cardholder data by business need-to-know

R8: Assign a unique ID to each person with computer access

R9: Restrict physical access to cardholder data

R10: Track and monitor all access to network resources and cardholder data

R11: Regularly test security systems and processes

R12: Maintain a policy that addresses information security

Side Notes:

1.    Why 6 domains and 12 requirements? Actually the MasterCard SDP and Visa CISP programs consisted respectively of 12 and 6 requirements. As both wanted to keep their numbering they reached a compromise. So the current structure of the PCI DSS is the end result of a compromise

2.    Are all requirements relevant for my organization? No, the relevance of requirements for your organization depends on your “type” (see PCI newsletter #5).


The PCI DSS V2: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf