PCI DSS is a globally recognised security standard that specifies the technical and operational requirements organisations must implement to protect cardholder data (CHD) and sensitive authentication data (SAD) across all environments where card payments are stored, processed, or transmitted. It was established by the PCI Security Standards Council (PCI SSC), an independent body founded in 2006 by the five major card brands: Visa, Mastercard, American Express, Discover, and JCB. PCI DSS applies to any organisation that stores, processes, or transmits cardholder data, regardless of size or transaction volume, including merchants, payment processors, acquirers, issuers, and third-party service providers.
As illustrated in a typical PCI DSS compliance scope assessment, an organisation first identifies all systems, networks, and processes that store, process, or transmit cardholder data. This defines the cardholder data environment (CDE). PCI DSS requirements apply to all components within the CDE and to systems that connect to or could affect the security of the CDE. Reducing the scope of the CDE through network segmentation, tokenisation, or the use of third-party payment processors is a common strategy for limiting the compliance burden while maintaining the security of card payment flows.
Key Takeaways: #
- PCI DSS (Payment Card Industry Data Security Standard) is a globally recognised security standard that defines the requirements organisations must meet to securely store, process, and transmit cardholder data and sensitive authentication data;
- It is governed by the Payment Card Industry Security Standards Council (PCI SSC), founded by Visa, Mastercard, American Express, Discover, and JCB, and applies to all entities involved in card payment processing, including merchants, processors, acquirers, issuers, and service providers;
- PCI DSS compliance is a continuous obligation, not a one-time certification. The current version is PCI DSS v4.1, published in December 2024, which introduced updated requirements reflecting the evolving threat landscape for card payment security.
The Six Categories and Twelve Requirements of PCI DSS #
PCI DSS organises its requirements into six control objectives, each covering a specific area of cardholder data security.
- Build and maintain a secure network and systems: Organisations must install and maintain network security controls, including firewalls and secure configurations for all network devices. Default passwords and unnecessary services on all system components must be removed or disabled before deployment.
- Protect account data: Cardholder data must be protected wherever it is stored, using strong encryption, truncation, or tokenisation. The full contents of any track data, card verification codes, and PINs must never be stored after authorisation. Data transmitted across open, public networks must be encrypted using strong cryptographic protocols.
- Maintain a vulnerability management programme: All systems must be protected against malware, and anti-malware solutions must be kept current. Secure development practices must be applied to all internally developed applications, and all system components must be protected against known vulnerabilities through timely application of security patches.
- Implement strong access control measures: Access to cardholder data must be restricted on a need-to-know basis. Every individual with system access must be assigned a unique identifier, and authentication must use strong mechanisms including MFA for all access into the CDE. Physical access to cardholder data must also be controlled and monitored.
- Regularly monitor and test networks: All access to network resources and cardholder data must be logged, and audit logs must be reviewed regularly for anomalies. Systems and processes must be tested regularly through vulnerability scanning, penetration testing, and the use of intrusion detection mechanisms.
- Maintain an information security policy: Organisations must maintain a documented information security policy that addresses all PCI DSS requirements, is reviewed at least annually, and is communicated to all relevant personnel. A security awareness programme must be in place to ensure staff understand their responsibilities in protecting cardholder data.
PCI DSS Compliance Levels #
PCI DSS compliance requirements vary depending on the organisation’s annual card transaction volume. Merchants and service providers are assigned to one of four compliance levels, with Level 1 applying to the highest-volume entities and requiring an annual on-site assessment by a Qualified Security Assessor (QSA). Lower-volume entities may be eligible to complete an annual Self-Assessment Questionnaire (SAQ) instead of a full QSA assessment. All entities are required to complete quarterly network vulnerability scans conducted by an Approved Scanning Vendor (ASV).
FAQ: #
What is the difference between PCI DSS and GDPR for organisations handling payment data?
- PCI DSS and GDPR address different aspects of data protection and are not mutually exclusive. PCI DSS is a contractual standard specific to cardholder data security, enforced through card network agreements and focused on the technical and operational controls protecting payment card data. GDPR is a legal requirement applicable across the EU and EEA that governs the processing of all personal data, including cardholder data, with a focus on lawful basis, data subject rights, and breach notification. Organisations processing card payments within the EU must comply with both frameworks simultaneously, as compliance with one does not imply compliance with the other.
What is the difference between a QSA assessment and a Self-Assessment Questionnaire (SAQ)?
- A Qualified Security Assessor (QSA) assessment is an on-site evaluation of an organisation’s cardholder data environment conducted by a PCI SSC-certified assessor, resulting in a Report on Compliance (ROC). It is required for Level 1 merchants and service providers. A Self-Assessment Questionnaire (SAQ) is a structured self-evaluation tool available to lower-volume merchants and service providers that meet specific eligibility criteria. There are several SAQ variants, each applicable to a different card acceptance or processing model, ranging from SAQ A for merchants that fully outsource card processing to SAQ D for merchants that store cardholder data electronically.
