PCI DSS was originally developed by MasterCard and Visa through an alignment of security requirements contained in their respective programs to secure ecommerce: the Site Data Protection for MasterCard and the Cardholder Information Security Plan (CISP) for VISA US.
PCI DSS adopts a top down approach. It starts with six high level "goals": a confusing terminology as the unique goal of the program is to protect cardholder data while transmitted, processed and stored by an entity. I would prefer calling them sections or domains. Those “goals” are then mapped against 12 requirements that each subdivide into more granular requirements. Each requirement comes with a set of corresponding testing procedures.
So thinking that PCI DSS compliance is just about implementing 12 requirements is inaccurate. There are more than 200 specific requirements.
The schema below depicts the combination of the two first layers of requirements:
The six goals, sections or domains are:
G1: Build and maintain a secure network
G2: Protect cardholder data
G3: Maintain a vulnerability management program
G4: Implement strong access control
G5: Regularly monitor and test networks
G6: Maintain an information security policy
High level requirements
The 12 high level requirements are:
R1: Install and maintain a firewall configuration to protect cardholder data
R2: Don't use vendor-supplied defaults for system passwords and other security parameters
R3: Protect stored cardholder data
R4: Encrypt transmission of cardholder data across open, public networks
R5: Use and regularly update anti-virus software
R6: Develop and maintain secure systems and applications
R7: Restrict access to cardholder data by business need-to-know
R8: Assign a unique ID to each person with computer access
R9: Restrict physical access to cardholder data
R10: Track and monitor all access to network resources and cardholder data
R11: Regularly test security systems and processes
R12: Maintain a policy that addresses information security
1. Why 6 domains and 12 requirements? Actually the MasterCard SDP and Visa CISP programs consisted respectively of 12 and 6 requirements. As both wanted to keep their numbering they reached a compromise. So the current structure of the PCI DSS is the end result of a compromise
2. Are all requirements relevant for my organization? No, the relevance of requirements for your organization depends on your “type” (see PCI newsletter #5).
The PCI DSS V2: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf