You are currently on IBM Systems Media’s archival website. Click here to view our new website.



Changes to the PCI DSS Self-Assessment Questionnaire help businesses more easily comply with data-security standards.

Changes to the PCI DSS Self-Assessment Questionnaire help businesses more easily comply with data-security standards.
Illustration by Julia Breckenreid

PCI DSS Basic Requirements

The basic requirements for adherence to the PCI DSS are identified below. Six control categories encompass the 12 requirements.

  1. Build and maintain a secure network
    • Install and maintain a firewall configuration to protect cardholder data.
    • Do not use vendor-supplied defaults for system passwords and other security parameters.
  2. Protect cardholder data
    • Protect stored cardholder data.
    • Encrypt transmission of cardholder data across open, public networks.
  3. Maintain a vulnerability management program
    • Use and regularly update anti-virus software.
    • Develop and maintain secure systems and applications.
  4. Implement strong access control measures
    • Restrict access to cardholder data by business need-to-know.
    • Assign a unique ID to each person with computer access.
    • Restrict physical access to cardholder data.
  5. Regularly monitor and test networks
    • Track and monitor all access to network resources and cardholder data.
    • Regularly test security systems and processes.
  6. Maintain an information security policy
    • Maintain a policy that addresses information security.

Are these requirements difficult to attain? Some of them certainly are—each one can have dozens of sub- and sub-sub-requirements. Complying may require substantial changes to your application software and business practices. However, it’s important to continuously attempt to meet these requirements. This is the best method (short of not accepting payment cards) that an organization can use to reduce its exposure to credit-card and identity theft.

Compliance Levels

All merchants that process payment cards must comply with the PCI DSS requirements. This is a baseline requirement that each credit-card company mandates. However—and this is important—each company will have additional requirements based on merchant level, which in turn is based on the volume and type of payment-card transactions. Here are the requirements and merchant levels for Visa and MasterCard. The transaction levels specified here are for payment-card transactions, regardless of acceptance channel.

  • Level 1 merchant—Processes more than 6 million transactions per year
  • Level 2 merchant—Processes 1 million to 6 million transactions per year
  • Level 3 merchant—Processes 20,000 to 1 million e-commerce transactions per year
  • Level 4 merchant—Processes fewer than 20,000 e-commerce transactions per year and up to 1 million total transactions

Michael Ryan is a technical editor with IBM Systems Magazine. Michael can be reached at



2019 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.


A Guide to Passing an Audit


A Look at COBIT Security

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
IBMi News Sign Up Today! Past News Letters