HSM as a service

PCI DSS requirements for building and maintaining a secure network and systems

When building and then subsequently maintaining a secure payment network, the Payment Card Industry Data Security Standard (PCI DSS) recommends that 12 security requirements be met to secure payment data.

The purpose of the Payment Card Industry Data Security Standard (PCI DSS) is to promote and improve cardholder data security and facilitate the adoption of a standard for global data security measures. At its core, PCI DSS represents a baseline for technical and operational requirements with the goal of protecting account data. This standard applies to all entities that are involved in payment card processing, including: merchants, processors, acquirers, issuers and service providers. It also applies to entities that store, process or transmit cardholder data or sensitive authentication data (SAD). The following 12 requirements are needed for building and maintaining a secure network

#1. Installing and maintaining a firewall configuration to protect cardholder data

A firewall is a piece of hardware that controls all network traffic between an entity’s internal network(s) and untrusted networks (external). Additionally, it monitors traffic in and out of more sensitive areas, such as a cardholder data environment within an entity’s internal trusted networks. As the firewall analyzes network traffic, it blocks transmissions that do not meet its specified security criteria. This protects the entity’s systems from unauthorized access from untrusted networks that could maliciously attempt to access cardholder data.

#2. Changing vendor-supplied defaults for system passwords and other security parameters

Whether it is hardware or software, vendor-supplied default passwords should always be changed, and unnecessary default accounts should be disabled before installing on the network. Leaving these default passwords makes the network vulnerable. Because they can be easily be found online and are well known throughout hacker communities, these passwords can be used by malicious individuals to gain unauthorized access to networks. This includes but is not limited to default passwords on operating systems, POS terminals and on security service software.

#3. Protecting stored cardholder data

Stored cardholder data should be protected with encryption, hashing, masking and truncation. However, instituting data retention and disposal policies helps reduce the amount of cardholder data held, thus minimizing risk by not holding onto data unless it is absolutely necessary.

#4. Encrypting transmission of cardholder data over open, public networks

Strong cryptography and security protocols are needed to protect sensitive cardholder data as it is transmitted over open, pubic networks, including the internet, wireless networks and cellular networks.

Using trusted keys and certificates reduces risk of cardholder data being exploited by malicious individuals.

#5. Protecting all systems against malware and performing regular updates of anti-virus software

All personal computers, services and other devices that can be affected by malware should always be protected with anti-virus software. Supplementing this software with anti-malware solutions helps increases the level protection against malicious software that can access systems via internet use, email, mobile devices or storage devices. Because vulnerabilities and exploits continually evolve, anti-virus and anti-malware needs to be continually updated, always be running to maintain protection and periodic scans run.

#6. Developing and maintaining secure systems and applications

Vulnerabilities in systems and applications allow unscrupulous individuals to take advantage of systems. A process should be established to identify security vulnerabilities and rank them according to risk to systems. Vendor security patches should be installed to fix vulnerabilities and prevent exploitation and compromise of cardholder data. However, before installing patches, they should be evaluated to ensure they do not interfere with existing security configurations.

#7. Restricting access to cardholder data to only authorized personnel

Only authorized personnel should have access to cardholder data. Systems and processes are required to restrict access to cardholder data and its associated system components to a “need to know” basis to appropriate personnel. When applying privileges to access cardholder data, the least number of privileges needed for each role to perform job responsibilities should be given.

#8. Identifying and authenticating access to system components

A unique identification (ID) should be assigned to each individual who is given access to system components. This ensures that each individual can be held uniquely accountable for their actions during their access to critical data and systems because they can be traced back to the them. Terminated users should have their access immediately revoked along with any inactive user accounts. The authentication process should limit repeated access attempts by locking out a user ID after six failed attempts.

#9. Restricting physical access to cardholder data

Physical access to cardholder data or systems that hold this data needs to be restricted. This prevents individuals from accessing data or the devices used to store data and minimizes the possibility of systems being removed or hard-copies of data being made. Appropriate facility entry controls, including access control mechanisms and/or video cameras should be used to monitor individual physical access to areas such as data centers, server rooms or other areas where cardholder data is stored, processed or transmitted. Collected data from entry controls should be reviewed regularly and kept for at least three months or as required by law.

#10. Tracking and monitoring all access to cardholder data and network resources

Logging mechanisms are needed to track user activities that are critical in preventing, detecting or minimizing the impact of data breaches. The logs produced will allows for the thorough tracking, alerting and analysis needed to determine the cause of a compromise. The automated audit trails should link access to all system components to each individual user and will allow for the reconstruction of events leading to the compromise.

#11. Testing security systems and processes regularly

The evolution of new vulnerabilities is constant. The implementation of processes for testing system components, processes and software needs to occur on at least a quarterly basis. This includes testing for wireless access points to detect and identify unauthorized and authorized points. At a minimum, internal and external network vulnerability scans should be run each quarter or whenever a new system component is installed, products are upgraded, modifications are made to firewalls or changes have been made in the network topology.

#12. Maintaining an information security policy for all personnel

Implementing a strong security policy requires adoption from the top down within the corporate structure. This policy should make personnel aware of the sensitivity of cardholder data and what is expected of them with their responsibility in protecting it from being compromised. The information security policy should be reviewed at least once a year and updated as needed based on current environmental vulnerabilities.


Identify theft from security breaches involving sensitive payment cardholder data continues to grow. By strictly adhering to the 12 requirements put forth in the PCI DSS when building or maintaining a secure payment network/system, the risk of cardholder data becoming compromised is greatly minimized.


Blog post by Paul Abraham

About the author

Dawn M. Turner is a professional author with a passion for technical regulations and standards, as well as for their relevance and impact on corporate operations and industry in general. Dawn has more than 10 years of IT industry experience in hardware, programming & systems & network engineering. Her educational background includes a Certificate in computer operations & programming, CompTIA and Microsoft certifications, including A+, MCSE and MCP, Associates degree with major in business & minor in computer science, Bachelors of Science degree with major in business forensics & minor in accounting and an MBA with concentrations in finance & economics.

To find more blog posts related with below topics, click on one of the keywords:

Wie können wir Ihnen helfen?

Sprechen Sie mit einem unserer Spezialisten und erfahren Sie, wie Utimaco Sie unterstützen kann.