The PCI DSS (Payment Card Industry Data Security Standard)

What is the PCI DSS?

The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to reduce payment card fraud by increasing security controls around cardholder data.

The Standard results from a collaboration between the major payment brands (American Express, Discover, JCB, Mastercard and Visa). It is administered by the PCI SSC (Payment Card Industry Security Standards Council).

The latest iteration of the PCI DSS – version 4.0 – was released at the end of March 2022.

Read the full text of PCI DSS v4.0 on the PCI Security Standards Council website. 

Merchants and service providers have a two-year transition period to update their security controls to conform to the new version of the Standard. Version 3.2.1 will be retired on 31 March 2024.

Read the full text of PCI DSS v3.2.1 on the PCI Security Standards Council website. 

IT Governance is a PCI QSA (Qualified Security Assessor) company. 

View our full range of PCI DSS consultancy services

Who has to comply with the PCI DSS?

All merchants and service providers that process, transmit or store cardholder data must comply with the PCI DSS.

  • Merchants are entities that accept debit or credit card payments for goods or services. Note that the PCI DSS applies to merchants even if they have subcontracted their payment card processing to a third party.
  • Service providers are businesses directly involved in processing, storing or transmitting cardholder data on behalf of another entity.

Some organisations can be both merchants and service providers. For instance, an organisation that provides data processing services for other merchants will also be a merchant if it accepts card payments.

Speak to a PCI DSS expert

Our services can support you at each stage of your organisation’s PCI DSS compliance project. Call our team on 01474556685, or request a call using the form below. Our experts are ready and waiting with practical advice.

Contact us

Why is PCI compliance important?

Payment card data is a prime target in cyber attacks.

The 2019 Trustwave Global Security Report identified that threat actors targeted payment card data in most incidents, with CNP (card-not-present) data making up nearly 25% of events and card-track (magnetic stripe) data comprising 11%.

By obtaining the PAN and sensitive authentication data, an attacker can impersonate the cardholder, use the card and steal the cardholder’s identity.

If implemented correctly, the PCI DSS can help organisations reduce the risk of security breaches.

A key benefit of the Standard is the detailed action plan it provides – its requirements can be applied to organisations of any size or type that use any method of processing or storing payment card data.

Penalties for non-compliance with the PCI DSS

The PCI DSS is a standard, not a law, enforced through contracts between merchants, acquiring banks that process payment card transactions and the payment brands.

Each payment brand can fine acquiring banks for PCI DSS compliance violations. In turn, acquiring banks can withdraw the ability to accept card payments from non-compliant merchants. Compliance obligations for merchants also increase significantly in the event of a breach.

Moreover, the breach or theft of cardholder data is also a breach of the EU GDPR (General Data Protection Regulation). Data breaches risk heavy penalties under the Regulation: up to €20 million or 4% of annual global turnover – whichever is greater.

Learn more about GDPR compliance

The 12 PCI DSS requirements

The PCI DSS specifies 12 requirements that are organised into six control objectives.

Build and maintain a secure network

1. Install and maintain a firewall configuration to protect cardholder data.

Learn more about PCI DSS Requirement 1  

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Learn more about PCI DSS Requirement 2 


Protect cardholder data

3. Protect stored cardholder data.

Learn more about PCI DSS Requirement 3 

4. Encrypt transmission of cardholder data across open, public networks.

Learn more about PCI DSS Requirement 4 


Maintain a vulnerability management programme

5. Use and regularly update anti-virus software or programs.

Learn more about PCI DSS Requirement 5 

6. Develop and maintain secure systems and applications.

Learn more about PCI DSS Requirement 6 


Implement strong access control measures

7. Restrict access to cardholder data by business need-to-know.

Learn more about PCI DSS Requirement 7 

8. Assign a unique ID to each person with computer access.

Learn more about PCI DSS Requirement 8 

9. Restrict physical access to cardholder data.

Learn more about PCI DSS Requirement 9 


Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data.

Learn more about PCI DSS Requirement 10 

11. Regularly test security systems and processes.

Learn more about PCI DSS Requirement 11 


Maintain an information security policy

12. Maintain a policy that addresses information security for employees and contractors

Learn more about PCI DSS Requirement 12 

How to become PCI DSS compliant

To demonstrate that your organisation is PCI DSS compliant, you must complete an audit of your CDE (cardholder data environment) – the system or part of your system that deals with cardholder data.

There are three types of audit:

The type of audit you must undergo and your exact PCI DSS compliance requirements will vary depending on your merchant or service provider level, based on the number of card transactions processed per year.

Generally, the criteria applied will be based on those set by Visa and Mastercard, the predominant payment card brands.

PCI DSS: merchant validation criteria

Level

Criteria

Annual validation criteria

1

Merchants that process more than 6 million transactions per year or those whose data has previously been compromised.

  • RoC conducted by a QSA or ISA.
  • Quarterly scan by an ASV.

2

Merchants that process 1 million to 6 million transactions per year.

  • RoC conducted by a QSA or ISA or an SAQ (SAQ D) signed by a company officer (dependent on payment brand).
  • Quarterly scan by an ASV.

3

Merchants that process 20,000 to 1 million transactions per year.

  • SAQ signed by a company officer.
  • Quarterly scan by an ASV (dependent on SAQ completed).

4

Merchants that process fewer than 20,000 transactions per year.

  • SAQ signed by a company officer.
  • Quarterly scan by an ASV (dependent on SAQ completed).

PCI DSS: service provider validation criteria

Level

Criteria

Annual validation criteria

1

Service providers that process, transmit and/or store more than 300,000 transactions per year.

  • RoC conducted by a QSA or ISA.
  • Quarterly scan by an ASV.

2

Service providers that process, transmit and/or store fewer than 300,000 transactions per year.

  • RoC conducted by a QSA or ISA or an SAQ (SAQ D) signed by a company officer (dependent on payment brand).
  • Quarterly scan by an ASV.

Level-1 organisations

Level-1 organisations must have an external audit performed annually by a QSA and submit an RoC to their acquiring banks to prove their compliance.

The QSA will:

  • Validate the scope of the assessment;
  • Review all documentation and technical information provided;
  • Determine whether the Standard has been met;
  • Provide support and guidance during the compliance process;
  • Be onsite for the duration of the assessment as required;
  • Adhere to the PCI DSS assessment procedures;
  • Evaluate compensating controls; and
  • Produce the final RoC.

Free PDF download: PCI DSS Audits – Preparing for success

Free green paper: PCI DSS Audits – Preparing for success

Download this paper – updated for PCI DSS v4.0 – to better understand the PCI DSS audit process and learn about our step-by-step approach to preparing for audit success.

Download now

List of PCI DSS SAQs

Level-2, -3 or -4 organisations can use an SAQ, comprising yes/no questions, to assess their level of cardholder data security. There are nine different questionnaires available.

SAQ

Description

A

Card-not-present merchants, all cardholder data functions fully outsourced.

A-EP

Partially outsourced e-commerce merchants using a third-party website for payment processing.

B

Merchants with only imprint machines or only standalone, dial-out terminals – no electronic cardholder data storage.

B-IP

Merchants with standalone, IP-connected PTS point-of-interaction (POI) terminals – no electronic cardholder data storage.

C-VT

Merchants with web-based virtual payment terminals – no electronic cardholder data storage.

C

Merchants with payment application systems connected to the Internet – no electronic cardholder data storage.

D for Merchants

All other SAQ-eligible merchants not included in the descriptions for SAQ types A to C above.

D for service providers

All service providers defined by a payment brand as eligible to complete an SAQ.

P2PE

Merchants using hardware payment terminals in a PCI SSC-listed P2PE solution only – no electronic cardholder data storage.

 
PCI DSS Compliance – Simplifying your requirements and SAQ submissions

Learn more about PCI SAQs in our free paper

Download the paper now to learn about the benefits of PCI DSS compliance, how to minimise the compliance burden by reducing your scope and how to choose the right SAQ under PCI DSS v4.0.

Download now

Assessing the security of your cardholder data

Many organisations use a three-step process to achieve PCI DSS compliance:

  • PCI DSS Gap Analysis – typically the first step for understanding an organisation’s compliance status. It compares the Standard’s requirements with the organisation’s current arrangements, identifies any compliance gaps and produces a prioritised plan to achieve full PCI DSS compliance.
  • PCI DSS Remediation – actioning the plan based on the gap analysis to reduce the project scope where possible and close any remaining compliance gaps.
  • PCI DSS Audit – having finished implementing the action plan, an assessor will review your CDE and controls to ensure and record proof that you are PCI DSS-compliant.
  • Discover our range of bestselling PCI DSS products and services

    As a QSA company, IT Governance provides services to support you at each stage of your organisation’s PCI DSS compliance project.

    Whether you need to conduct a gap analysis, reduce the scope of your CDE, conduct a risk assessment or test the security of your systems and processes for vulnerabilities, we can help.

    View our range of bestselling products and services to find out how we can help you.

    top
    SAVE 25% ON
    FOUNDATION
    TRAINING