PCI DSS (the Payment Card Industry Data Security Standard) sets one baseline for any organization that stores, processes, or transmits cardholder data. The current version, v4.0, expresses that baseline as 12 requirements. They can sound technical, but each one answers a simple question about how you protect card data.
Those 12 requirements are organized into 6 goals. The goals are the plain-English version of the standard: build a secure network, protect the data itself, manage vulnerabilities, control who has access, watch and test your systems, and write it all down as policy. The 12 requirements sit underneath those goals.
You don’t have to guess where you stand. A readiness analysis marks every one of the 12 requirements as covered, partial, or gap, so “are we PCI compliant?” becomes a clear, control-by-control picture instead of an open question. The free check samples five of these controls and names your likely SAQ; the full analysis marks all 12.
The 6 goals and the 12 requirements
Put controls such as firewalls between the open internet and the systems that touch card data, and keep the rules current so only the traffic you actually need gets through.
Change vendor default passwords and turn off settings you don’t use before a system goes live. Factory defaults are the first thing an attacker tries.
If you store card data at all, keep only what you truly need and render it unreadable, for example with strong encryption. The safest position is not storing it in the first place.
Any time card data crosses the internet or another open network, encrypt it in transit, for example with current TLS, so it can’t be read if it’s intercepted.
Run anti-malware protection on the systems that can be affected by it, and keep it active and up to date rather than installed and forgotten.
Patch known vulnerabilities on a defined timeline, and build security into any software you develop or customize instead of bolting it on later.
Give each person access only to the systems and data their job requires. Nobody should be able to reach card data just because they happen to work there.
Make sure every person has their own unique login, with no shared accounts, and back it with multi-factor authentication so every action traces to a real individual.
Control who can physically reach the servers, terminals, and paper records that hold card data, whether that means a locked room, a badge, or a visitor log.
Keep audit logs of who did what, and actually review them, so you can detect and reconstruct a problem instead of learning about it months later.
Scan for vulnerabilities and test your defenses on a recurring schedule, because an environment that was secure last quarter drifts over time.
Write down the policies that govern everything above, assign responsibility, and train your people, so security is a documented program and not just tribal knowledge.
See where you land on these 12.
The free SAQ & readiness check names your likely SAQ type and samples five of the controls above, in about two minutes. No email needed to see your SAQ, no card, nothing to install.
When you’re ready for the full picture, the PCI DSS v4.0 Readiness & Gap Analysis marks all 12 requirements covered, partial, or gap, and gives you a prioritized 30/60/90-day remediation roadmap.
Which of the 12 apply to you?
All 12 requirements exist for every environment that touches card data, but the number you actually have to validate depends on how you accept cards. That scope is captured by your SAQ type. A business that fully outsources card handling to a validated processor validates against far fewer controls than one that stores card numbers and completes SAQ D.
Confirming your SAQ is the first step, because it tells you which of the 12 requirements are in play for you. If you’re not sure which questionnaire fits, start with the free check, or read which PCI SAQ you need.
How a readiness analysis reads the 12
A readiness analysis takes each of the 12 requirements and marks it against your environment:
- Covered. You meet the requirement and can produce the evidence for it.
- Partial. You meet part of it, or you likely meet it but can’t fully evidence it yet.
- Gap. The requirement isn’t in place, and it needs work before you can attest.
Nothing is assumed in place. What you can’t evidence is flagged for review, never quietly counted as passing. The result is a control-by-control map of exactly where you stand, and the specific evidence an assessor will ask you to produce for each item.
Frequently asked questions
How many PCI DSS requirements are there?
PCI DSS v4.0 has 12 core requirements. They’re organized into 6 security goals, from building a secure network to maintaining an information security policy. Each requirement contains its own detailed sub-requirements, but the 12 are the framework everyone refers to.
What are the six goals of PCI DSS?
The 12 requirements roll up into 6 goals: build and maintain a secure network and systems, protect account data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy.
Do all 12 requirements apply to every merchant?
All 12 exist for every environment that touches card data, but how many you actually validate depends on how you accept cards. That scope is captured by your SAQ type. A merchant who fully outsources card handling validates against far fewer controls than one who stores card data and completes SAQ D. Your SAQ tells you which of the 12 are in play for you.
What does covered, partial, or gap mean in a readiness analysis?
Each requirement is marked covered (you meet it and can evidence it), partial (you meet part of it or can’t fully evidence it yet), or gap (it isn’t in place). It turns a vague question like “are we compliant?” into a clear, control-by-control picture of exactly where you stand on all 12.
Know exactly where you stand on all 12.
Start free: the SAQ & readiness check gives your likely SAQ type on screen and samples five of the controls above, in about two minutes.
The $1,495 PCI DSS v4.0 Readiness & Gap Analysis confirms your SAQ with full rationale, marks every one of the 12 requirements covered, partial, or gap, and hands you a prioritized 30/60/90-day remediation roadmap with the evidence an assessor will ask for. PDF in your inbox within hours. No call required.
This guide is general information, not a QSA assessment, a completed SAQ, an Attestation of Compliance, or legal advice. Confirm your SAQ and obligations with your acquiring bank or a Qualified Security Assessor.