PCI DSS

What is PCI DSS?

PCI DSS (Payment Card Industry Data Security Standard) is a security standard developed by the PCI Security Standards Council - an organisation founded by Visa, Mastercard, American Express, Discover and JCB. The standard defines security requirements for all entities that process, store or transmit payment cardholder data.

PCI DSS 4.0 (current version) comprises 12 main requirements organised into six goals: build and maintain a secure network (firewalls, secure configuration), protect cardholder data (encryption, masking), maintain a vulnerability management programme (AV, patching), implement strong access control measures (need-to-know, IAM, MFA), regularly monitor and test networks (logging, penetration testing) and maintain an information security policy.

The level of requirements depends on transaction volume. The highest (Level 1) applies to organisations processing over 6 million transactions annually and requires an annual audit by a Qualified Security Assessor (QSA). Smaller organisations can demonstrate compliance through self-assessment questionnaires (SAQ).

Why does it matter?

Non-compliance with PCI DSS can result in financial penalties from payment networks, higher transaction processing fees and, in extreme cases, revocation of the right to accept payment cards. For banks and financial institutions, PCI DSS is one of the key security standards, complementing regulatory requirements such as DORA.

Related topics

• Penetration Testing
• Vulnerability Management
• IAM