PCI DSS defines 6 objectives for securing credit card data, which are covered by 12 technical requirements shown below.

Build and Maintain a Secure Network and systems	1 2	Install and maintain a firewall configuration to protect cardholder data. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data	3 4	Protect stored cardholder data. Encrypt transmissions of cardholder data across open, public networks.
Maintain Vulnerability Management Program	5 6	Protect all systems against malware and regularly update anti-virus software or programs. Develop and maintain secure systems and applications.
Implement Strong Access Control Measures	7 8 9	Restrict access to cardholder data by business need to know. Identify and authenticate access to system components. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks	10 11	Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes.
Maintain and Information Security Policy	12	Maintain a policy that addresses information security for all personnel.

 

To achieve compliance, PCI DSS requires at least quarterly external and internal vulnerability scans and yearly external and internal penetration tests. Based on type of solution (i.e. no internal CDE infrastructure), some tests might not be applicable).

Based on the number of payment card transactions, it is also required to perform yearly on-site QSA audits (more than 1 million transactions per year) or fulfill self-assessment questionnaires (SAQ). Details are given below.

Category		Criteria		Requirements
Level 1	→	Any merchant having more tha six million transactions annually Any merchant that has suffered a hack or an attack that resulted in an Account Data Compromise	→	Annual Onsite Assessment conducted by a QSA Quarterly External Network Scan conducted by an ASV
Level 2	→	Any merchant with more than one million but less than or equal to six million transactions annually	→	Annual Self-Assessment (SAQ) conducted by accredited ISA internal auditor or Annual Onsite Assessment conducted by a QSA Quarterly External Network Scan conducted by an ASV
Level 3	→	Any merchant with more than 20,000 but less than or equal to one million e-commerce transactions annually	→	Annual Self-Assessment (SAQ) Quarterly External Network Scan conducted by an ASV
Level 4	→	All other merchants	→	Annual Self-Assessment (SAQ) Quarterly External Network Scan conducted by an ASV

Scope

Systems that store, process or transmit cardholder data are part of the CDE, or cardholder data environment, and are therefore in scope. However, PCI DSS scope is not limited to just the CDE. Systems with a connection to the CDE must also be included in scope to ensure that appropriate security controls are in place to prevent an attacker using the connected system to gain access to the CDE, and thus to cardholder data.
There are also other types of systems that need to be included in the scope, such as: systems providing security services to the CDE, systems that provide or facilitate segmentation between the CDE and any out-of-scope networks, and, generally, any other system that has the ability to directly impact the security of the CDE or of cardholder data.

Vulnerability scans (ASV)

Vulnerability scans identify known vulnerabilities and issues in security configuration on the system and service level. External vulnerability scans must be performed by an accredited ASV company (Approved Scanning Vendor).
Scanning results are presented according to ASV Program Guide requirements. The following PCI severity levels are used to categorize the vulnerabilities and to determine compliance status:

CVSS Score	Severity Level	Scan Results	Guidance
7.0 through 10.0	High	Fail	To achieve a passing scan, these vulnerabilities must be corrected and the affected systems must be re-scanned after the corrections (with a report that shows a passing scan). Organizations should take a risk-based approach to correct these types of vulnerabilities, starting with the most critical (rated 10.0), then those rated 9, followed by those rated 8, 7, etc., until all vulnerabilities rated 4.0 through 10.0 are corrected.
4.0 through 6.9	Medium	Fail
0.0 through 3.9	Low	Pass	While passing scan results can be achieved with vulnerabilities rated 0.0 through 3.9, organizations are encouraged, but not required, to correct these vulnerabilities.

During the reconnaissance phase, public services and likely operating systems are identified. As a general rule, all unnecessary services should be disabled, and only necessary public services should be allowed through a firewall or other filtering device and visible from the internet.
Vulnerability details give detailed explanations of found vulnerabilities and proposed measures for vulnerability risk mitigation. Where applicable, vulnerability evidence is provided as well.

Penetration tests

A penetration test differs from a vulnerability scan, as a penetration test is an active process that includes exploiting identified vulnerabilities. The intent of a penetration test is to simulate a real-world attack situation with a goal of identifying how far an attacker would be able to penetrate into an environment. This is a highly manual process and requires significantly more time.
According to PCI DSS requirements, the following activities are performed:

• Testing external and internal network infrastructure
• Testing the adequacy of segmentation and other mechanisms to reduce the scope
• Tests include active network equipment and operating systems
• Special attention is required for known attacks and exploits in the last 12 months

The following systems and services are part of the testing:

Host Discovery	Web Servers	Other Applications
Service Discovery	Application Server	Common Services
OS and Service	Common Web Scripts	Wireless Access Points
Fingerprinting	Built-in Accounts	Backdoors
Firewalls and Routers	DNS Servers	SSL/TLS
Operating Systems	Mail Servers	Remote Access
Database Servers	Web Applications	Point-of-sale (POS) Software

Assessment can utilize sampling principle if all representative network segments and equipment of CDE infrastructure is included in the scope.

Gap analysis / QSA audit

Gap analysis is used to identify deviations from the PCI DSS requirements. The assessors help the organization to identify all areas of non-compliance and offer recommendations to help meet the requirements. The outcome of the gap analysis is also the determination of the scope of the infrastructure that is subject to the PCI DSS requirements.
The audit is carried out by accredited QSA professionals (Qualified Security Assessors). An assessor determines whether the organization has met the PCI DSS 12 requirements, either directly or through a control that provides a level of security that is similar to the requirement. It includes a thorough review of the infrastructure that is subject to the PCI DSS requirements and concludes with a Report of Compliance (RoC). An example of an audit plan is given below.

Security policy and procedures to protect IT infrastructure:

• information security policy, risk analysis, incidents – Requirement 11, 12

Information system review and management:

• Inventory of information systems and components – Requirement 8
• default passwords and other vendor defaults – Requirement 2
• secure configuration best practices
• protect cardholder data (PAN, SAD) – Requirement 3

Information system review and management:

• protect cardholder data during the transfer on public networks – Requirement 4
• strong encryption protocols and algorithms – Requirement 4
• secure implementation of wireless networks – Requirement 4
• secure remote administration – Requirement 4

Information system review and management:

• firewall (traffic between internal and public segment and other zones of CDE environment) – Requirement 1
• access control and restrictions – Requirement 7

Protection of IT infrastructure:

• antivirus protection, intrusion detection, and prevention (IPS, IDS) – Requirement 5
• regularly update protection systems (vulnerability management) – Requirement 5
• audit logs – Requirement 10

Develop and maintain secure systems and applications:

• secure development (managing bugs in source code) – Requirement 6
• Restrict access to cardholder data – Requirement 7

Identification and authentication:

• giving access to information resources – Requirement 8

Physical access control :

• access to premises and information infrastructure – Requirement 9
• security screening of personnel – Requirement 12