Payment Card Industry Data Security Standard v4.0
Global standard for organizations that handle cardholder data. 12 requirements covering network security, data protection, access control, and monitoring.
Restrict inbound traffic to system components in the CDE
Inbound traffic to the cardholder data environment must be restricted to only necessary connections.
Remove vendor-supplied defaults
Vendor-supplied defaults for system passwords and security parameters must be changed.
Render cardholder data unreadable
Stored cardholder data must be rendered unreadable (encryption, hashing, truncation).
Use strong cryptography to protect data in transit
Strong cryptography must be used whenever cardholder data is transmitted over open networks.
MFA for all administrative access
Multi-factor authentication is required for all non-console administrative access into the CDE.
Audit trails for all system components
All access to system components and cardholder data must be logged.
Network Security Control Configuration
Network security control (NSC) configurations are defined, reviewed, and maintained — including approved network services, port whitelists, and protocols.
Connections Between Trusted and Untrusted Networks
Connections between the CDE and untrusted networks (internet, corporate network) must be controlled via firewalls/WAFs with documented business need.
System Configuration Standards
System components within the CDE must be configured per industry-accepted hardening standards (CIS benchmarks, vendor security guides).
PAN Protection
Primary Account Number (PAN) must be protected wherever stored using strong cryptography (encryption, truncation, tokenization, or hashing).
Key Management Lifecycle
Cryptographic keys used to protect cardholder data must be managed throughout their lifecycle: generation, distribution, storage, rotation, revocation, destruction.
PAN Encryption Over Open Networks
Strong cryptography (TLS 1.2+) must protect PAN whenever transmitted over open, public networks.
Anti-Malware Coverage
Anti-malware mechanisms must be deployed on all system components commonly affected by malicious software, kept current, and actively running.
Security Patching
Critical security patches must be installed within one month of release; other applicable security patches within 3 months.
Identify Security Vulnerabilities
Vulnerabilities in CDE systems must be identified and ranked by severity using a vulnerability ranking process (e.g., NVD CVSS).
Public-Facing Web Application Protection
Public-facing web applications must be protected against known attacks via WAF or via comprehensive testing (annual + after changes).
Access Control System
Access to system components and cardholder data must be controlled via a documented role-based access control (RBAC) system.
Strong Authentication
Authentication to system components in the CDE must use strong methods: minimum 12-char passwords, complexity requirements, MFA for all user access.
Service Account Authentication
Service accounts in the CDE must use unique credentials (no sharing), managed centrally, with documented rotation cadence.
Time Synchronization
Time synchronization must be implemented across all system components to ensure consistent timestamps in audit logs.
Log Retention
Audit logs must be retained for at least 1 year, with 3 months immediately available for analysis.
Log Review and Anomaly Detection
Audit logs must be reviewed at least daily for anomalies; mechanisms must detect log delivery failures.
Internal Penetration Testing
Internal penetration testing must be performed at least annually + after significant changes.
External Vulnerability Scans
External vulnerability scans must be performed quarterly by an Approved Scanning Vendor (ASV) for organizations subject to PCI Validation.
Security Awareness Program
Implement a formal security awareness program to make personnel aware of cardholder data protection requirements.
Incident Response Plan
Implement an incident response plan to respond to suspected or confirmed cardholder data security incidents.
Physical Access Restriction
Use appropriate facility entry controls to limit and monitor physical access to systems in the CDE.