What is PCI DSS?

This article explains what PCI DSS is, who it applies to, and how compliance works.

Overview

The Payment Card Industry Data Security Standard (PCI DSS) is a global security standard designed to protect payment card data.

It applies to any organisation that stores, processes, or transmits cardholder data for major card brands such as Visa, Mastercard, American Express, Discover, and JCB.

The goal of PCI DSS is to reduce fraud and ensure that sensitive payment data is handled securely.

Key points

• PCI DSS protects payment card data
• It applies to organisations handling card payments
• It is defined by the PCI Security Standards Council
• Compliance is enforced by card networks and acquiring banks
• Private label cards are not included

Scope of PCI DSS

PCI DSS applies to organisations that:

• Store cardholder data
• Process card payments
• Transmit payment information

It does not apply to private label cards that are not part of major card schemes.

Who defines and enforces PCI DSS

• The PCI Security Standards Council defines and maintains the standard
• Card networks and acquiring banks enforce compliance

How compliance works

Organisations must regularly validate their PCI DSS compliance.

The validation method depends on transaction volume and risk level.

Large organisations

• Annual assessment by a Qualified Security Assessor (QSA)
• Results in a Report on Compliance (ROC)

Smaller organisations

• Completion of a Self-Assessment Questionnaire (SAQ)
• May require additional security scans

PCI DSS v4.0

The current version of the standard is PCI DSS v4.0.

It introduces:

• A more flexible and risk-based approach
• Stronger authentication requirements (including multi-factor authentication)
• Continuous monitoring of security controls
• More adaptability to different technical environments