PCI DSS

Overview

The Payment Card Industry Data Security Standard (PCI DSS) is a security standard created by the Payment Card Industry Security Standards Council (PCI SSC), which includes Visa, MasterCard, American Express, Discover, and JCB. It mandates security requirements for any organization that stores, processes, or transmits cardholder data.

PCI DSS is mandatory for any entity handling credit card transactions. Non-compliance can result in fines, loss of ability to process payments, and legal action.

Requirements (12 Core Requirements)

#	Requirement	Description
1	Install and maintain network security controls	Firewall configuration to protect cardholder data
2	Do not use vendor-supplied defaults	Change default passwords and security parameters
3	Protect stored cardholder data	Encrypt stored data; minimize data retention
4	Encrypt transmission of cardholder data	Strong cryptography for data in transit over open networks
5	Protect against malware	Install and maintain antivirus software; regularly update
6	Develop and maintain secure systems and applications	Secure software development practices
7	Restrict access to cardholder data	Need-to-know basis; unique IDs for each person
8	Identify users and authenticate access	Strong authentication (MFA required since 2022)
9	Restrict physical access to cardholder data	Physical security controls for facilities and media
10	Log and monitor all access	Audit trails for all access to network resources and cardholder data
11	Test security of systems and networks regularly	Vulnerability scanning, penetration testing, network monitoring
12	Maintain information security policy	Annual security policy for all personnel

Compliance Levels

Level	Criteria	Requirements
Level 1	>6M transactions/year	Annual ROC by QSA + quarterly network scan
Level 2	1M-6M transactions/year	Self-assessment (SAQ) + quarterly scan
Level 3	20k-1M e-commerce transactions/year	SAQ + quarterly scan
Level 4	<20k e-commerce transactions/year	SAQ + quarterly scan

Key Concepts

• SAQ (Self-Assessment Questionnaire) — simplified compliance assessment for lower-volume merchants
• ROC (Report on Compliance) — comprehensive assessment conducted by a Qualified Security Assessor (QSA)
• ASV (Approved Scanning Vendor) — PCI-approved vendor for quarterly vulnerability scans
• Encryption — cardholder data must be encrypted at rest and in transit using strong cryptography

Relationship to Other Frameworks

• ISO 27001 — ISO provides broader ISMS; PCI DSS is payment-specific
• NIST CSF — NIST CSF can guide PCI DSS implementation
• technologies/security-frameworks/iso-27001.md | ISO 27001 — broader information security management
• technologies/security-frameworks/nist-csf.md | NIST Cybersecurity Framework — risk management guidance