Payment Card Industry Data Security Standard


The Payment Card Industry Data Security Standard is a global data security standard that regulates how entities store, process, and transmit cardholder data and/or sensitive authentication data. PCI DSS includes guidelines regarding components of organizations' technical and operational system that are related to such data. Cardholder Data refers to information including Primary Account Numbers, cardholder names, expiration dates, and service codes. Sensitive authentication data refers to information including "full track data," card verification codes, and PINs/PIN blocks. This standard is administered by the Payment Card Industry Security Standards Council, and its use is enforced by the major payment card brands. PCI DSS was created to improve and streamline the security controls organizations use when handling cardholder data and reduce credit card fraud. These organizations, including merchants and service providers, must prove compliance to the PCI DSS through an assessment and validation process. The payment card brands issue fines and other penalties when merchants or service providers fail to prove compliance. Validation of compliance is performed annually or quarterly with a method suited to the organization's volume of transactions:
Before the PCI DSS was launched, payment card information security was handled by the five major payment card brands: Visa, Mastercard, American Express, Discover, and JCB. They each had different independent security programs:
  • Visa's Cardholder Information Security Program
  • Mastercard's Site Data Protection
  • American Express's Data Security Operating Policy
  • Discover's Information Security and Compliance
  • JCB's Data Security Program
The intentions of each were roughly similar: to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they handle payment cards and related account information. As payment card fraud rose in the late 1990s and early 2000s, the major payment card brands felt a growing need to streamline and unify these information security standards. Each program had its own methods and guidance regarding compliance validation, assessments, and requirements. To address interoperability problems among the existing standards, the combined effort by these payment card brands resulted in the release of version 1.0 of PCI DSS in December 2004. The main payment card brands then founded the Payment Card Industry Security Standards Council and aligned their policies to create the PCI DSS. PCI DSS has since been implemented and followed by numerous organizations around the world.
MasterCard, American Express, Visa, JCB International and Discover Financial Services established the PCI SSC in September 2006 as a global administrative and governing entity that mandates the evolution and development of the PCI DSS. Independent private organizations can also participate in PCI development as part of the PCI Security Standards Council Participating Organization Program. To join that program, organizations must register as a PCI SSC Participating Organization. Each participating organization joins a SIG and contributes to activities mandated by the group.
The PCI DSS is a living document that is regularly updated by the PCI Security Standards Council. The PCI SSC releases major version updates, such as version 4.0, approximately every few years. Minor updates, such as version 4.0.1, are released more frequently and typically add small changes or clarifications. When updates are released, organizations have a transition period during which they must become familiar with the new changes and begin ensuring compliance with the current version. During the transition period, organizations are only required to be compliant with either the current version or the previous version. The following versions of the PCI DSS have been made available:
VersionDateDescription
1.0December 15, 2004
1.1September 2006clarification and minor revisions
1.2October 2008enhanced clarity, improved flexibility, and addressed evolving risks and threats
1.2.1July 2009minor corrections designed to create more clarity and consistency among the standards and supporting documents
2.0October 2010provided clarifications about the relationship between PCI DSS and PA-DSS, several additional guidelines regarding Requirement and Testing Procedure
3.0November 2013active from January 1, 2014 to June 30, 2015
3.1April 2015retired since October 31, 2016
3.2April 2016retired since December 31, 2018
3.2.1May 2018retired since March 31, 2024
4.0March 2022retired since December 31, 2024, the biggest update and revision since v1.0: updated firewall terminology, expansion of Requirement 8 to implement multi-factor authentication, increased flexibility to demonstrate security, and targeted risk analyses to establish risk exposure operation and management
4.0.1June 2024Currently, the only active version. The deadline for compliance with this version was March 31, 2025.
minor revisions: correct typographical and other minor errors, update and clarify guidance, remove Definitions in guidance and refer to the Glossary instead, add references to the Glossary for newly defined glossary terms and for existing glossary terms that did not previously have references

Requirements and control objectives

The PCI DSS has twelve requirements for compliance, organized into six related groups known as control objectives:
  1. Build and maintain a secure network and systems
  2. Protect cardholder data
  3. Maintain a vulnerability management program
  4. Implement strong access control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy
Each PCI DSS version has divided these six requirement groups differently, but the twelve requirements have not changed since the inception of the standard. Each requirement and sub-requirement is divided into three sections:
  1. PCI DSS requirements: Define the requirement. The PCI DSS endorsement is made when the requirement is implemented.
  2. Testing: The processes and methodologies carried out by the assessor for the confirmation of proper implementation.
  3. Guidance: Explains the purpose of the requirement and the corresponding content, which can assist in its proper definition.
In version 4.0.1 of the PCI DSS, the twelve requirements are:
  1. Install and maintain network security controls.
  2. Apply secure configurations to all system components.
  3. Protect stored account data.
  4. Protect cardholder data with strong cryptography during transmission over open, public networks.
  5. Protect all systems and networks from malicious software.
  6. Develop and maintain secure systems and software.
  7. Restrict access to system components and cardholder data by business need to know.
  8. Identify users and authenticate access to system components.
  9. Restrict physical access to cardholder data.
  10. Log and monitor all access to system components and cardholder data.
  11. Test security of systems and networks regularly.
  12. Support information security with organizational policies and programs.

    Updates and supplemental information

The PCI SSC has released supplemental information to clarify requirements, which includes:
  • Information Supplement: Requirement 11.3 Penetration Testing
  • Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
  • Navigating the PCI DSS - Understanding the Intent of the Requirements
  • PCI DSS Wireless Guidelines
  • PCI DSS Applicability in an EMV Environment
  • Prioritized Approach for PCI DSS
  • Prioritized Approach Tool
  • PCI DSS Quick Reference Guide
  • PCI DSS Virtualization Guidelines
  • PCI DSS Tokenization Guidelines
  • PCI DSS 2.0 Risk Assessment Guidelines
  • The lifecycle for Changes to the PCI DSS and PA-DSS
  • Guidance for PCI DSS Scoping and Segmentation
  • PCI DSS v4.0 Resource Hub
  • PCI DSS Summary of Changes: v4.0 to v4.0.1

    Merchant levels

Merchants that store, process, and transmit cardholder data are subject to PCI DSS standards, and thus, must be deemed PCI-compliant. The PCI DSS framework classifies these entities into merchant levels that determine the type of reporting a business must complete to achieve compliance. A business' merchant level is determined by its dataset size which refers to the number of transactions a business makes annually. An acquirer or payment brand may manually place an organization into a reporting level at its discretion. Not all payment card brands use all four merchant levels, and each level's transaction volume can vary among payment card brands. For instance, Visa only has three merchant levels. The four typically accepted merchant levels are:
  • Level 1 – Over six million transactions annually
  • Level 2 – Between one and six million transactions annually
  • Level 3 – Between 20,000 and one million transactions annually, and all e-commerce merchants
  • Level 4 – Less than 20,000 transactions annually
Each card issuer maintains a table of compliance levels and a table for service providers.

Service provider levels

According to the PCI DSS, third-party service providers that store, process, or transmit cardholder data, or have access to customers’ account data are subject to PCI DSS standards. Service providers can include payment software vendors, software as a service, data centers, and other such entities. Service providers are required to prove PCI DSS compliance through the assessment process. The type of reporting process a service provider must complete are dependent on the type of service provider. Service providers are classified into levels which determine the reporting required for compliance. The two service provider levels are:
  • Level 1:
  • * All Third-Party Processors
  • * All Staged Digital Wallet Operators
  • * All Digital Activity Service Providers
  • * All Business Payment Service Providers
  • * All Token Service Providers
  • * All 3-D Secure Service Providers
  • * All Installment Service Providers
  • * All Merchant Payment Gateways
  • * All AML/Sanctions Service Providers, Data Storage Entities and Payment Facilitators with more than 300,000 total combined Mastercard and Maestro transactions annually
  • Level 2:
  • * All AML/Sanctions Service Providers, DSEs6 and PFs with 300,000 or less total combined Mastercard and Maestro transactions annually
  • * All Terminal Servicers