Are all PCI DSS requirements mandatory or can I leave some out as "nice to have"?
The 12 PCI DSS requirements are mandatory. However, you can determine which controls are relevant to you depending on how you take payments (i.e. telephone, face-to-face, via the internet, or through a third party). And by selecting the correct Self-Assessment Questionnaire (SAQ) for your business, it will help determine which controls you need to apply to your cardholder data environment.