An Enterprise Guide to PCI DSS Compliance Requirements

If your company handles customer payment information, it’s critical for you to understand PCI DSS compliance requirements. A single breach can result in substantial financial penalties and damage your brand's reputation. 

In my experience working with enterprise customers, I’ve seen firsthand how non-production environments often become a blind spot for compliance efforts. According to our State of Data Compliance and Security Report, 71% of organizations have PCI DSS-regulated data in these test environments. If you consider that 60% of companies have experienced breaches in these environments, the stakes for compliance have never been higher. 

Let’s walk through what PCI DSS is, who needs to comply, and its 12 core requirements. Then, we’ll explore the challenges of complying with it at enterprise scale — and how Perforce Delphix can be a game changer.

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of global security standards established by major credit card companies — Visa, MasterCard, American Express, Discover, and JCB International. 

Its purpose is to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. 

Who needs to comply with PCI DSS?

Any business that handles cardholder data must adhere to PCI DSS, regardless of their size or transaction volume. If your organization collects, transmits, or stores credit card data, you’re legally required to comply with these standards.

Benefits of PCI DSS Compliance

Achieving and maintaining PCI DSS compliance offers more than just the ability to process payments. The benefits extend throughout your organization and have a direct impact on your business's health and reputation.

• Build Customer Trust: Demonstrating a commitment to protecting customer data strengthens consumer confidence and encourages loyalty. Secure systems show customers you value their privacy.
• Avoid Severe Penalties: Non-compliance can lead to significant fines, ranging from $5,000 to $100,000 (roughly £4,000 to £80,000) per month. Data breaches can also result in costly lawsuits and government actions.
• Strengthen Overall Security: Implementing PCI DSS standards improves your organization's security posture. This framework provides a strong foundation that makes it easier to comply with other data privacy regulations (GDPR, CCPA, DORA, EU AI Act, etc).
• Improve Your Reputation: Proactively managing data security enhances your brand's reputation. In an environment where breaches are common, a strong compliance record is a powerful differentiator.

📘Related resource: Data Privacy Laws and Compliance: What You Need to Know to Ensure Compliant Non-Production Data

The 12 PCI DSS Compliance Requirements

PCI DSS outlines 12 core requirements, which are organized into six goals. While this may seem like a significant undertaking, remember many of these controls are foundational security best practices that your organization may already have in place.

Goal 1: Build and Maintain a Secure Network and Systems

Requirement 1: Install and maintain a firewall configuration to protect cardholder data. 

Firewalls are one of your first lines of defense. They block unauthorized access from outside entities and protect the data stored on your network. Regular updates and proper configuration are essential.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. 

It may seem obvious, but it’s all too often overlooked. It’s essential to change and rotate default passwords and security parameters on all systems (even those inside a firewall), including routers and modems. These generic settings are well-known vulnerabilities that attackers can easily exploit. Rotation of passwords also ensures former admin employees no longer have access to sensitive systems.

Goal 2: Protect Cardholder Data

Requirement 3: Protect stored cardholder data. 

Encrypt all stored cardholder data with strong, industry-accepted algorithms. You must also encrypt the encryption keys themselves for an added layer of security. Regular scans are required to ensure no data is left unencrypted.

Delphix automates the discovery and masking of sensitive data in non-production environments, replacing it with irreversible fictitious yet realistic values to ensure cardholder data is protected.

Requirement 4: Encrypt transmission of cardholder data across open, public networks. 

When cardholder data moves across open, public networks, it must be encrypted. This guarantees its protection as it travels between your systems and payment processors.

Goal 3: Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update antivirus software or programs. 

All devices that access or store Primary Account Number (PAN) data must have reputable antivirus software installed. Keep this software updated to protect against the latest malware threats.

Requirement 6: Develop and maintain secure systems and applications. 

Keep all software updated with the latest security patches. Outdated software is a common entry point for attackers who exploit known vulnerabilities.

Goal 4: Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need to know.

Access to cardholder data should be granted only to employees who require it for their job functions. Limiting access reduces your internal risk footprint.

Delphix helps enforce access controls and zero-trust posture by ensuring that developers and testers have fast, self-service access to fully masked production data, eliminating their need to access real cardholder information at all. This access is further secured through the use of tagging and Single-Sign-On (SSO), which leverages Roles-Based and Attribute-Based Access Control (RBAC/ABAC).

Requirement 8: Assign a unique ID to each person with computer access. 

Every employee with access to sensitive data must have a unique login ID. Sharing credentials is a violation of PCI standards, as it hinders traceability and accountability.

Requirement 9: Restrict physical access to cardholder data. 

Secure physical access to any systems or records containing sensitive data. This includes keeping password storage devices or paper records in locked, secure locations and maintaining an access log.

Goal 5: Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data. 

Maintain detailed logs of all activity involving cardholder data and network resources. A lack of proper record-keeping is a common point of non-compliance and makes it difficult to trace the source of a breach.

Requirement 11: Regularly test security systems and processes. 

Conduct regular vulnerability scans — at least quarterly — to identify and remediate weaknesses in your systems. This includes both internal and external network scans.

Goal 6: Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security for all personnel. 

Create and maintain comprehensive documentation of your security policies and procedures. This policy must be communicated to all relevant employees and contractors, and it serves as a critical part of your annual audit.

Addressing PCI DSS Masking Requirements in Non-Production

While production environments are a primary focus, non-production environments — used for development, testing, analytics, and AI model training — are an often-overlooked risk. 

These environments can make up the majority of a company's total data footprint. Our research shows that 95% of organizations store more sensitive data in non-production than in previous years, and 45% report having 3-10 copies of each production dataset in non-prod.

Masking sensitive data is a critical control for protecting these environments. Importantly, you can remove them from the scope of PCI DSS if you are careful to remove all CHD (Card Holder Data) or SAD (Sensitive Authentication Data) information. By replacing sensitive information with fictitious yet realistic data, you can eliminate the risk of exposure while providing developers and testers with the highest-quality data. This is particularly important for software testing, where the highest vulnerability points include:

• Performance testing (according to 85% of our survey respondents)
• Functional testing (according to 82%)
• API testing and monitoring (according to 67%)

A Note on the Risk of Compliance Exceptions 

The good news is that 95% of organizations now use static data masking as their primary defense strategy. However, a gap remains between policy and practice. Our report found that 84% of organizations still allow compliance exceptions in non-production environments.  

Even a single exception can bring a non-production environment into PCI DSS scope, requiring the same controls and security measures as a production environment — an effort that comes with significant additional cost and complexity. The sheer size of non-production means CHD and SAD data in those environments multiplies your exposure risk and increases the likelihood of a PCI DSS violation.

Find More Unique Insights In Our State of Data Compliance and Security Report 

Our latest research reveals that 60% of organizations experienced data breaches in non-production, an 11% increase from last year. Get unique data and insights from our survey of 280 global enterprise leaders to understand rising data exposure risks and the current state of data compliance solutions.

Access More Data Compliance Findings

How Perforce Delphix Helps You Achieve Enterprise-Scale PCI DSS Compliance

For large enterprises, maintaining PCI DSS compliance across vast and complex IT landscapes is a significant challenge. One of the most rewarding aspects of my role as Senior Solutions Engineer for Perforce Delphix is helping enterprises simplify their compliance efforts. For example, I’ve seen how automating data masking and deployment across multiple non-production environments can transform a months-long audit process into a streamlined, efficient workflow. 

If I put my audit and compliance hat on, I know that by ensuring that no sensitive production data makes it into my non-production environments, I can drastically reduce the scope of PCI DSS within any organization. This cuts out the vast majority of the environment landscape from an audit and reduces the time and effort associated with it. 

Even if I take that hat off and just think about my corporate and moral responsibility to look after my customers’ sensitive data, it’s a win-win situation: less effort, less cost, less risk, and more customer trust.

Delphix provides a centralized, automated solution to mask sensitive production data at scale. It lets you reduce risk and simplify audits across all non-production environments.

Watch a Demo: Automating Sensitive Data Discovery and Compliance with Delphix

See how Delphix automates the discovery of sensitive data across your enterprise, providing a centralized, efficient way to identify and manage information for PCI DSS compliance. 

This short demo shows you how to use our profiling and masking capabilities to secure data across multiple sources and ensure your non-production environments are protected.

Real-World Success Stories: How Delphix Helped 3 Organizations Achieve Compliance

Mattel Secured Global Financial Data

Global toy leader Mattel needed to protect sensitive financial data in its SAP environments to meet SOX compliance and internal security mandates. By implementing Delphix, Mattel automated data masking and delivery, providing secure, compliant data for development and testing. 

Watch Mattel's Story

Worldpay Enhances Security and Agility

Global financial leader Worldpay faced challenges in managing sensitive data across its environments. With Delphix, they reduced data refresh cycles from 28 days to just 4, ensuring timely, masked data for testing. This transformation improved compliance, strengthened ransomware resilience, and enabled faster software releases in a highly regulated industry.

Watch Worldpay's Story

Choice Hotels Accelerates Development and Security

Choice Hotels, a leader in hospitality innovation, faced challenges in managing complex data environments and protecting sensitive guest PII and PCI. By adopting Delphix, they reduced database refresh times from two weeks to less than a day, implemented robust data masking for compliance, and improved software quality. This transformation enabled faster development cycles, significant cost savings, and enhanced data security across all environments.

Watch Choice Hotels' Story