PCI DSS has 12 high level requirements and 300+ sub requirements.

Build and maintain a 1. Install and maintain a firewall configuration to protect cardholder data.
secure network and 2. Do no use vendor supplied defaults for systems passwords and other
systems security perimeters
Protect cardholder data 3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open public network.
Maintain a vulnerability 5. Use and update anti-virus software and programs.
management program 6. Develop and maintain secure systems and applications – application
hardening, OS hardening, network hardening.
Implement strong access 7. Restrict access to cardholder data on a need to know basis.
control measures 8. Assign unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
Regularly monitor and test 10. Track and monitor all access to the network.
networks 11. Regularly test security systems.
Maintain an information 12. Maintain a policy that addresses information security.
security policy

The above are the six core pillars that define the defense in depth approach to manage and
protect card data. So any company that stores, process card data would need to comply with this
standard. This is mandated by the card schemes. The above 12 high level requirement mention
above, breaks down to 300+ sub requirements that define the testing procedures and reporting
structure.

The process of PCI DSS starts from the following:

- 11.11