Each Day, when I spoke with my QSAs, we try to follow this way : Respect all individual requirements on the 12 chapters and explain at all colleagues what’s PCI on few words.
In first explain each chapter with theses definitions.
Build and maintain a secure network.
- Requirement 1 : Install and maintain a firewall configuration to protect Cardholder data.
- Requirement 2: Do not user vendor-supplied default for system passwords and other security parameters.
Protect CardHolder data.
- Requirement 3 : Protect stored all Cardholder data.
- Requirement 4 : Encrypt all transmission of cardholder data accross open, public networks.
Maintain a vulnerability Management programme.
- Requirement 5 : Use and regularly update and anti-virus software.
- Requirement 6 : Develop and maintain secure systems and applications
Implementing strong access control measures.
- Requirement 7 : Restrict access to cardholder data by business need-to-know.
- Requirement 8 : Assign a unique ID to each person with computer access.
- Requirement 9 : Restrict Physical access to Cardholder data.
Regularly monitor and tests networks.
- Requirement 10 : Track and monitor all access to network ressources and cardholder data.
- Requirement 11 : Regularly test security systems and processes.
Maintain an information security.
- Requirement 12 : Maintain a policy that addresses information security.