PCI DSS – Payment Card Industry Data Security Standard
PCI DSS is the global security standard for protecting payment card data, issued by the PCI SSC. Version 4.0.1 became the sole mandatory standard in December 2024.
Summary
The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognized security standard for organizations that process, store, or transmit credit card data. It was developed by the PCI Security Standards Council (PCI SSC), founded in 2006 by the five major card brands (Visa, Mastercard, American Express, Discover, JCB).
- Twelve core requirements: Organized into six overarching goals, from network security to vulnerability management.
- Compliance levels: Four merchant levels and two service provider levels based on transaction volume.
- Current version: PCI DSS v4.0.1 (June 2024) is the sole valid standard; v3.2.1 retired March 2024, v4.0 retired December 2024.
- Not a law: PCI DSS is not legislation but a contractual requirement imposed by card networks.
History
Before PCI DSS, the major card brands had their own separate security programs: Visa had the Cardholder Information Security Program (CISP), Mastercard had Site Data Protection (SDP). Increasing data breaches and card fraud led to the publication of the first PCI DSS (Version 1.0) in December 2004 as a harmonization of these standards. The PCI SSC was formally established on September 7, 2006 as the joint organization of the card brands.
The standard has been regularly updated: Version 1.1 (2006), 1.2 (2008), 2.0 (2010), 3.0 (2013), 3.1 (2015), 3.2 (2016), 3.2.1 (2018), and the landmark Version 4.0 (March 2022), which introduced a risk-based approach and new requirements for authentication, e-commerce security, and continuous monitoring. Version 3.2.1 was retired on March 31, 2024, making v4.0 the sole valid standard. PCI DSS v4.0.1 was published in June 2024 as a minor revision. On December 31, 2024, v4.0 was retired; v4.0.1 has since been the sole accepted standard. As of March 31, 2025, 51 future-dated requirements become mandatory.
Scope
PCI DSS applies to all organizations worldwide that process, store, or transmit credit or debit card data from the major card brands, regardless of their size or location. Covered entities include:
- Merchants: All businesses that accept payment cards.
- Service providers: Third parties that process cardholder data on behalf of merchants or provide services that can affect the security of cardholder data.
The compliance scope depends on the Cardholder Data Environment (CDE) — the area where cardholder data is stored, processed, or transmitted. Network segmentation can reduce scope. Tokenization and Point-to-Point Encryption (P2PE) can significantly reduce scope.
Key Requirements
PCI DSS v4.0 contains 12 core requirements organized into 6 goals:
- Build and maintain a secure network: (1) Install and maintain network security controls; (2) Apply secure configurations to all system components.
- Protect account data: (3) Protect stored account data; (4) Protect cardholder data with strong cryptography during transmission over open networks.
- Maintain a vulnerability management program: (5) Protect all systems against malware; (6) Develop and maintain secure systems and software.
- Implement strong access control measures: (7) Restrict access to system components and cardholder data; (8) Identify users and authenticate access; (9) Restrict physical access to cardholder data.
- Regularly monitor and test networks: (10) Log and monitor all access to system components and cardholder data; (11) Test security of systems and networks regularly.
- Maintain an information security policy: (12) Support information security with organizational policies and programs.
Related Frameworks
Corrections & Errata
2 corrections:
- PCI-DSS: PCI SSC was founded in 2006, not 2004
- PCI-DSS: Service provider levels are 2, not 3
1 update:
- PCI-DSS: v4.0 retired since Dec 2024, v4.0.1 is sole standard; March 2025 milestone missing