The Payment Card Industry Data Security Standard (PCI DSS)

What is the PCI DSS?

The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard administered by the PCI SSC (Payment Card Industry Security Standards Council).

The Standard aims to increase the security of credit card data and reduce data breaches by ensuring that all organisations involved in payment card processing adopt consistent data security measures.

Read PCI DSS v3.2.1

As a PCI QSA (Qualified Security Assessor) company, IT Governance has everything you need to achieve and maintain compliance with the PCI DSS.

View our full range of PCI DSS consultancy services

Who needs to comply with the PCI DSS?

The PCI DSS applies to all organisations that accept credit or debit card payments, or that store, process or transmit cardholder data and/or sensitive authentication data.

This includes:

Account data

Cardholder data

Sensitive authentication data

PAN (primary account number)

Full track data on magnetic stripe or chip (CVV/CVC/CAV/CSC)

Cardholder name

Verification code (CVV2/CVC2/CAV2/CID)

Card expiration date

PINs/PIN blocks

Service code


Merchants that have subcontracted all their payment activities to a third party are responsible for ensuring all contracted parties comply with the Standard.

Why is PCI DSS compliance important?

Payment card data is a prime target in cyber attacks.

The 2019 Trustwave Global Security Report identified that threat actors targeted payment card data in most incidents, with CNP (card-not-present) data making up nearly 25% of events, and card-track (magnetic stripe) data comprising 11%.

By obtaining the PAN and sensitive authentication data, an attacker can impersonate the cardholder, use the card and steal the cardholder’s identity.

If implemented correctly, the PCI DSS can help organisations reduce the risk of security breaches.

A key benefit of the Standard is the detailed action plan it provides – its requirements can be applied to organisations of any size or type that use any method of processing or storing payment card data.

Penalties for non-compliance with the PCI DSS

The PCI DSS is enforced through contracts between merchants, financial institutions and payment brands.

Payments brands can fine financial institutions for non-compliance and financial institutions can withdraw the ability to accept card payments from non-compliant merchants.

And because payment card data is personal data, a breach of the PCI DSS is also a breach of the GDPR (General Data Protection Regulation).

If you suffer a data breach you could therefore face administrative fines of up to €20 million or 4% of your annual global turnover – whichever is greater.

The 12 PCI DSS requirements

Build and maintain a secure network

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect cardholder data

  1. Protect stored cardholder data.
  2. Encrypt transmission of cardholder data across open, public networks.

Maintain a vulnerability management programme

  1. Use and regularly update anti-virus software or programs.
  2. Develop and maintain secure systems and applications.

Implement strong access control measures

  1. Restrict access to cardholder data by business need-to-know.
  2. Assign a unique ID to each person with computer access.
  3. Restrict physical access to cardholder data.

Regularly monitor and test networks

  1. Track and monitor all access to network resources and cardholder data.
  2. Regularly test security systems and processes.

Maintain an information security policy

  1. Maintain a policy that addresses information security for employees and contractors.

Learn more about the 12 requirements of the PCI DSS

How to demostrate PCI DSS compliance

To demonstrate that your organisation is PCI DSS compliant, you must successfully complete an audit of your CDE (cardholder data environment) – the system or part of your system that deals with cardholder data.

There are three types of audit:

Your organisation’s PCI DSS compliance requirements and the type of audit you must undergo will depend on the number of card transactions it processes each year.

There are four merchant levels:

Merchant level

Number of annual transactions

Validation criteria


More than 6 million.

  • RoC
  • Quarterly ASV scan


1 to 6 million.

  • RoC or SAQ
  • Quarterly ASV scan


20,000 to 1 million.

  • SAQ
  • Quarterly ASV scan


Fewer than 20,000

  • SAQ
  • Quarterly ASV scan

There are two service provider levels:

Service provider level

Number of annual transactions

Validation criteria


More than 300,000.

  • RoC
  • Quarterly ASV scan


Fewer than 300,000.

  • RoC or SAQ
  • Quarterly ASV scan

Discover our range of bestselling PCI DSS products and services

IT Governance provides services to support you at each stage of your organisation’s PCI DSS compliance project. Whether you need to conduct a gap analysis, reduce the scope of your CDE, conduct a risk assessment or test the security of your systems and processes for vulnerabilities, we can help. View our range of products and services to find out more about what we can do.

Speak to an expert

For more information about the PCI DSS and what your organisation needs for compliance, please get in touch with one of our experts, who will be able to advise you further.

This website uses cookies. View our cookie policy