The PCI DSS is made up of 12 requirements. Each requirement has several sub-requirements. The DSS is written to provide guidance for both companies and assessors. Each requirement contains the following.
Overall, the PCI DSS is very detailed and explicit for companies that are assessed against it and for assessors performing PCI assessments.
The 12 requirements are below under the PCI assigned category.
Build and Maintain a Secure Network and Systems
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
If organizations are able to meet any of the above requirements because of “legitimate technical or documented business constraints”, the can implement compensation controls that mitigate the risk of not addressing the DSS requirements. Similar to the DSS requirements themselves, these compensating controls need to be evaluated on an annual basis.
The PCI DSS is the core of PCI. The requirements you need to meet are determined by your entity type and level.
If you want to learn more about the PCI DSS, our PCI DSS In-Depth course goes into detail about each of the 12 requirements in the DSS.