top of page


Understanding the Relationship between PCI DSS 12 Requirements and Zero Trust

Zero Trust Managed Services

Ah, the world of data security! It's a fascinating and ever-evolving space, isn't it? Today, I'm here to shed some light on the intriguing relationship between PCI DSS 12 requirements and Zero Trust. So, buckle up and get ready for an informative ride!

First things first, let's briefly discuss what PCI DSS is.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that organizations must comply with if they handle payment card data. The PCI DSS consists of 12 requirements that organizations must meet in order to maintain compliance. These standards are designed to ensure the safe handling, processing, and storage of sensitive cardholder information.

Now, let's dive into the world of Zero Trust (ZT).

In a nutshell, Zero Trust is a security concept that challenges the traditional perimeter-based approach to network security. It operates on the principle of "trust no one" denies all and requires organizations to verify and authenticate every user, and device attempting to access their network resources. Zero Trust operates on the principle of "never trust, always verify."

By combining these two approaches, organizations can create a robust security framework that protects sensitive payment card data while minimizing the risk of unauthorized access.

So, what's the connection between PCI DSS 12 requirements and Zero Trust?

Let's take a closer look at each requirement and how it relates to the concept of Zero Trust. PCI DSS Requirement 1 lays the foundation for a zero-trust mindset.

  1. Install and maintain a firewall configuration to protect cardholder data:  It emphasizes the importance of building and maintaining a secure network by implementing strong access controls and network segmentation. Zero Trust uses micro-segmentation to divide the network into smaller, isolated segments or zones. This limits lateral movement within the network and contains potential breaches by restricting inbound and outbound traffic to that which is necessary for the cardholder data and specifically denying all other traffic. This means that organizations need to closely manage and monitor network traffic, limit user access privileges, and segment their networks to reduce the risk of unauthorized access.

  2. Do not use vendor-supplied defaults for system passwords and other security parameters: This requirement highlights the need to change default passwords and settings to prevent potential security breaches. In a zero-trust model, authentication and access controls are critical to verify the identity of users and devices attempting to access sensitive data.

  3. Protect stored cardholder data: Organizations must ensure that any stored cardholder data is securely protected. This includes encryption, access controls, and regular monitoring. In a zero-trust framework, data is classified based on its sensitivity, and access to each category is strictly controlled.

  4. Encrypt transmission of cardholder data across open, public networks: This requirement emphasizes the need for secure transmission of cardholder data over public networks. In a zero-trust approach, data encryption is a fundamental component of securing data in transit.

  5. Protect all systems against malware and regularly update antivirus software or programs: Organizations must have robust malware protection in place and keep it up-to-date. In a Zero Trust environment, continuous monitoring and analysis of network traffic help detect and prevent malware infections. We also suggest using a Managed Detection and Response service (MDR.)

  6. Develop and maintain secure systems and applications: This requirement focuses on secure software development practices and regular testing of applications for vulnerabilities. Organizations must limit the potential for exploits by deploying critical patches promptly. In a zero-trust model, applications are continuously monitored for potential security flaws or vulnerabilities. Patch all systems in the card data environment, including Operating systems, Firewalls, Routers, Switches, Application software, Databases, and POS terminals

  7. Restrict access to cardholder data by business need to know: Access to cardholder data should be limited to individuals who require it to perform their job responsibilities. In a zero-trust framework, access controls are implemented based on the principle of least privilege, meaning users only have access to what is necessary for their specific roles.

  8. Identify and authenticate access to system components: Organizations must implement strong authentication mechanisms to verify the identity of users accessing system components. In a zero-trust approach, multi-factor authentication (MFA) is used to provide an additional layer of security.

  9. Restrict physical access to cardholder data: Physical access to areas where cardholder data is stored or processed should be restricted and monitored. In a zero-trust model, physical security measures are implemented alongside logical controls to ensure comprehensive protection.

  10. Track and monitor all access to network resources and cardholder data: Organizations must implement robust logging mechanisms and regularly monitor access logs for any suspicious activities. In a zero-trust environment, continuous monitoring helps detect potential threats or unauthorized access attempts.

  11. Regularly test security systems and processes: Regular testing of security systems and processes helps identify vulnerabilities and weaknesses that can be addressed proactively. The following periodic activities are required: a. Wireless analyzer scan to detect and identify all authorized and unauthorized wireless access points every quarter. b. All external IPs and domains exposed in the cardholder data environment are required to be scanned by an independent 3rd party PCI Approved Scanning Vendor (ASV) at least quarterly. Here is a list of approved vendors per the PCI SSC: APPROVED SCANNING VENDORS c. Internal vulnerability scans must be conducted at least quarterly. d. All external IPs and domains must go through an exhaustive Application penetration test and Network penetration test at least yearly or after any significant change. In a Zero Trust framework, ongoing testing and assessments are crucial to maintain a high level of security.

  12. Maintain a policy that addresses information security for all personnel: Organizations must have comprehensive information security policies in place that are communicated to all personnel. In a zero-trust approach.

In essence, adopting a zero-trust approach can greatly assist organizations in achieving compliance with the PCI DSS requirements. By implementing strong access controls, network segmentation, encryption, multi-factor authentication, regular monitoring, and other best practices associated with Zero Trust, businesses can significantly enhance their overall security posture.

PCI DSS and Zero Trust are both essential components of a comprehensive security strategy. While PCI DSS focuses specifically on securing credit card data, Zero Trust provides a broader framework for network security.

So there you have it – a comprehensive overview of how PCI DSS 12 requirements and Zero Trust go hand in hand. Remember, in today's digital landscape, it's essential to stay ahead of potential threats. If you have any more questions, feel free to ask Kappa!

Helpful Links:



Growing businesses need fast, effective IT support. Do you just want your computer system to do what it's supposed to do? Do you sometimes feel like your IT support company doesn't understand how important that is to your business, then you found the right IT company. Kappa Computer Systems has spent over 25 years helping clients of all shapes, sizes, and industries get better results from their technology. Kappa Computer Systems partners with our clients to deliver long-term value. Call today to see how we can help you with your IT support and Managed IT Support needs.

Kappa's blog is listed on the Top 15 Florida Technology Blogs:    


bottom of page