12 PCI DSS Requirements and Practical Steps to Compliance

• Deploy firewalls or equivalent network security controls at all perimeter and internal boundaries
• Define and document rules for allowed and denied traffic
• Restrict inbound and outbound access to only what is necessary for business operations
• Regularly review and test firewall and router configurations

• Maintain up-to-date network diagrams and data flow diagrams
• Segment cardholder data environment (CDE) from untrusted networks
• Secure wireless networks with encryption and strong authentication

• Change all vendor-supplied defaults before system installation
• Disable or remove unnecessary services and accounts
• Use configuration standards based on industry best practices (e.g., CIS Benchmarks)

• Regularly review and validate secure configuration baselines
• Apply configuration management tools to enforce consistent hardening
• Limit administrative access and require secure authentication for management interfaces

• Minimize data storage to the least amount necessary for business
• Use strong cryptography (e.g., AES-256) to encrypt stored cardholder data
• Mask PAN when displayed (e.g., show only last 4 digits)

• Document and enforce retention and disposal policies
• Store encryption keys securely and separate from encrypted data
• Monitor access to sensitive data and encryption systems

• Use strong encryption (e.g., TLS 1.2 or higher) for all transmissions over public networks
• Avoid deprecated protocols such as SSL and early TLS
• Validate the effectiveness and configuration of encryption tools

• Maintain current documentation of all data flows involving cardholder data
• Secure wireless transmissions using WPA2 or stronger, and require authentication
• Monitor and alert on unauthorized or unencrypted data transfers

• Install anti-malware software on all systems commonly affected by malware
• Enable automatic updates and real-time scanning
• Schedule regular malware scans and generate reports for review

• Document and assess the effectiveness of anti-malware tools
• Implement compensating controls for systems not supporting traditional anti-malware
• Train users to recognize and report potential malware threats

• Follow secure coding standards (e.g., OWASP, SEI CERT)
• Conduct code reviews and automated security testing
• Apply security patches promptly, especially for critical vulnerabilities

• Maintain a vulnerability management program to identify and address new threats
• Document change management and testing procedures
• Provide secure development training for developers and testers

• Define and document access requirements based on role and business function
• Use role-based access control (RBAC) to enforce least privilege
• Approve and review access rights periodically

• Revoke access immediately upon employee termination or role change
• Enforce separation of duties for sensitive operations
• Maintain audit logs of access provisioning and changes

• Assign unique IDs to every user with system access
• Enforce password complexity and change requirements
• Use multi-factor authentication (MFA) for remote and administrative access

• Prohibit the use of shared, group, or generic accounts
• Lock accounts after repeated failed login attempts
• Regularly review authentication mechanisms for effectiveness

• Restrict physical access to CDEs to authorized personnel only
• Implement access controls such as key cards, badges, or biometric systems
• Use surveillance cameras to monitor sensitive areas

• Secure media containing cardholder data in locked cabinets or safes
• Maintain visitor logs and verify identity before granting access
• Conduct periodic physical security reviews and remove outdated access rights

• Enable detailed logging of access, changes, and administrative actions
• Use centralized log servers and SIEM tools for aggregation and analysis
• Review logs daily for critical systems and incidents

• Protect logs from unauthorized access and tampering
• Retain logs for at least 12 months, with three months immediately available
• Set alerts for key security events, such as failed logins or privilege escalation

• Perform quarterly internal and external vulnerability scans
• Conduct annual penetration testing or after significant changes
• Implement file integrity monitoring to detect unauthorized changes

• Use automated tools to validate system configurations and defenses
• Track and remediate vulnerabilities in a timely manner
• Document testing results and remediation efforts for audit purposes

• Develop and maintain a formal, documented security policy
• Ensure the policy is reviewed annually and updated as needed
• Communicate security roles and responsibilities to all staff

• Provide regular security awareness training for employees
• Maintain an incident response plan and test it at least annually
• Include third-party service providers in risk and compliance assessments

1. Maintain and Test Firewalls Regularly

Organizations must establish and maintain firewalls and network security controls that segment cardholder data from less secure environments. Firewall rules must be documented, reviewed, and tested at regular intervals to ensure only necessary network traffic is allowed.

Regular penetration testing, vulnerability scanning, and change management reviews are critical. These confirm that firewalls remain effective as network environments evolve.

2. Implement Strong Authentication Mechanisms

Strong authentication goes beyond simple passwords. Organizations should adopt multi-factor authentication (MFA) for all access to cardholder data systems, especially for remote users and administrators. Each user must have a unique ID, and shared accounts should be eliminated to ensure accountability.

Password complexity, rotation policies, and automatic session timeouts also contribute to robust authentication. Regular audits of authentication systems are necessary to detect weaknesses or unauthorized access.

3. Encrypt All Sensitive Data in Storage and Transit

All payment card data must be protected using industry-approved encryption at rest and in transit. Solutions must use strong algorithms and keys, with processes for secure key management, periodic rotation, and limiting access to cryptographic resources. Encryption should be applied end-to-end, including for data stored in backups or transmitted over internal and external networks.

Regular reviews of encryption implementations and strategies for minimizing clear-text data exposure help reduce opportunities for data theft.

4. Limit Access Based on Least Privilege

Organizations should only grant access to cardholder systems and data on a strict need-to-know basis. Access privileges must be aligned with specific job roles and reviewed regularly to identify and remove unused or excessive permissions. Automated provisioning and deprovisioning can ensure timely updates when staff roles change.

Documenting access requests and ensuring approvals are consistently recorded increases control over who can interact with sensitive payment data.

5. Establish Continuous Monitoring and Auditing

Continuous monitoring tools are necessary to detect and respond to suspicious activities promptly. SIEM platforms and real-time alerting systems should aggregate logs from all relevant sources, including firewalls, servers, applications, and endpoints. Automated alerts for anomalous behavior enable rapid investigation and response.

Frequent auditing of logs and security events should be part of regular operations. Scheduled reviews and custom threat detection rules help organizations adapt to new attack techniques and regulatory expectations.

6. Keep All Systems Patched and Updated

Maintaining up-to-date systems is critical for closing security gaps exploited in payment card breaches. Organizations need structured patch management processes to quickly identify, test, and deploy patches for vulnerabilities in operating systems, applications, and network devices. Delays in patching can leave organizations exposed.

Change control processes, combined with automated vulnerability scanning and patch deployment tools, help ensure timely updates and reduce the risk of missing critical fixes.

7. Conduct Regular Training for Staff

Security awareness is a core requirement for PCI DSS and a foundational element of strong payment card data protection. Regular, role-appropriate training educates staff on handling cardholder data securely, recognizing potential threats, and responding to security incidents. Training content should be updated to reflect new risks, such as social engineering tactics or phishing attempts.

Organizations should document participation and effectiveness of security training, linking it to overall compliance and risk mitigation goals.

Cloud Application Protection Services

Radware’s Cloud Application Protection Services provide a unified solution for comprehensive web application and API protection, bot management, client-side protection, and application-level DDoS protection. Leveraging Radware SecurePath™, an innovative API-based cloud architecture, it ensures consistent, top-grade security across any cloud environment with centralized visibility and management. This service protects digital assets and customer data across on-premise, virtual, private, public, and hybrid cloud environments, including Kubernetes. It addresses over 150 known attack vectors, including the OWASP Top 10 Web Application Security Risks, Top 10 API Security Vulnerabilities, and Top 21 Automated Threats to Web Applications. The solution employs a unique positive security model and machine-learning analysis to reduce exposure to zero-day attacks by 99%. Additionally, it distinguishes between “good” and “bad” bots, optimizing bot management policies to enhance user experience and ROI. Radware’s service also ensures reduced latency, no route changes, and no SSL certificate sharing, providing increased uptime and seamless protection as businesses grow and evolve.

Cloud WAF

Radware’s Alteon Integrated WAF ensures fast, reliable and secure delivery of mission-critical Web applications and APIs for corporate networks and in the cloud. Recommended by the NSS, certified by ICSA Labs, and PCI compliant, this WAF solution combines positive and negative security models to provide complete protection against web application attacks, access violations, attacks disguised behind CDNs, API manipulations, advanced HTTP attacks (such as slowloris and dynamic floods), brute force attacks on log-in pages and more.

Bot Manager

Radware Bot Manager is a multiple award-winning bot management solution designed to protect web applications, mobile apps, and APIs from the latest AI-powered automated threats. Utilizing advanced techniques such as Radware’s patented Intent-based Deep Behavior Analysis (IDBA), semi-supervised machine learning, device fingerprinting, collective bot intelligence, and user behavior modeling, it ensures precise bot detection with minimal false positives. Bot Manager provides AI-based real-time detection and protection against threats such as ATO (account takeover), DDoS, ad and payment fraud, and web scraping. With a range of mitigation options (like Crypto Challenge), Bot Manager ensures seamless website browsing for legitimate users without relying on CAPTCHAs while effectively thwarting bot attacks. Its AI-powered correlation engine automatically analyzes threat behavior, shares data throughout security modules and blocks bad source IPs, providing complete visibility into each attack.

Account Takeover (ATO) Protection

Radware Bot Manager protects against Account Takeover attacks, and offers robust protection against unauthorized access to user accounts across web portals, mobile applications, and APIs. Utilizing advanced techniques such as Intent-based Deep Behavior Analysis (IDBA), semi-supervised machine learning, device fingerprinting, and user behavior modeling, it ensures precise bot detection with minimal false positives. The solution provides comprehensive defense against brute force and credential stuffing attacks, and offers flexible bot management options including blocking, CAPTCHA challenges, and feeding fake data. With a scalable infrastructure and a detailed dashboard, Radware Bot Manager delivers real-time insights into bot traffic, helping organizations safeguard sensitive data, maintain user trust, and prevent financial fraud.

API Protection

Radware’s API Protection solution is designed to safeguard APIs from a wide range of cyber threats, including data theft, data manipulation, and account takeover attacks. This AI-driven solution automatically discovers all API endpoints, including rogue and shadow APIs, and learns their structure and business logic. It then generates tailored security policies to provide real-time detection and mitigation of API attacks. Key benefits include comprehensive coverage against OWASP API Top 10 risks, real-time embedded threat defense, and lower false positives, ensuring accurate protection without disrupting legitimate operations.

Client-Side Protection

Radware’s Client-Side Protection solution is designed to secure end users from attacks embedded in the application supply chain, such as Magecart, formjacking, and DOM XSS. It provides continuous visibility into third-party scripts and services running on the browser side of applications, ensuring real-time activity tracking and threat-level assessments. This solution complies with PCI-DSS 4.0 requirements, helping to protect sensitive customer data and maintain organizational reputation. Key features include blocking untrusted destinations and malicious scripts without disrupting legitimate JavaScript services, monitoring HTTP headers and payment pages for manipulation attempts, and providing end-to-end protection against supply chain exploits.