What is PCI DSS? Complete Guide to Payment Card Security

TL;DR: Quick Takeaways

•PCI DSS is mandatory for any organization that stores, processes, or transmits cardholder data
•The standard includes 12 requirements organized into 6 control objectives covering network security, data protection, and access control
•PCI DSS 4.0 is now in effect with new requirements for customized approaches and stronger authentication
•Non-compliance can result in fines of $5,000-$100,000 per month plus liability for fraud losses

Every time a customer swipes, taps, or types their credit card number, they're trusting your business with sensitive financial data. The Payment Card Industry Data Security Standard (PCI DSS) exists to ensure that trust is well-placed.

This comprehensive guide explains what PCI DSS is, who needs to comply, the 12 requirements you must meet, and how to achieve and maintain compliance. Whether you're a small e-commerce store or a large payment processor, this guide will help you navigate the complexities of payment card security.

What is PCI DSS?

PCI DSS stands for Payment Card Industry Data Security Standard. It's a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

📋 PCI DSS Overview

What It Covers:

• Cardholder data protection
• Network security controls
• Access management
• Vulnerability management
• Monitoring and testing
• Security policies

Key Facts:

• Created by major card brands (Visa, Mastercard, Amex, Discover, JCB)
• Managed by PCI Security Standards Council
• Current version: PCI DSS 4.0
• Applies globally to all who handle card data
• Not a law, but contractually required

🎯 What is Cardholder Data?

PCI DSS protects specific data elements related to payment cards.

Cardholder Data (CHD):

• Primary Account Number (PAN)
• Cardholder Name
• Expiration Date
• Service Code

Sensitive Authentication Data (SAD):

• Full magnetic stripe data
• CAV2/CVC2/CVV2/CID
• PINs and PIN blocks
⚠️ SAD cannot be stored after authorization

Who Needs PCI DSS Compliance?

If your organization stores, processes, or transmits cardholder data in any way, PCI DSS applies to you. This includes both direct handlers and service providers.

🏪 Merchant Levels

Merchants are categorized into levels based on annual transaction volume, which determines validation requirements.

Level	Transaction Volume	Validation Requirements
Level 1	>6 million transactions/year	Annual on-site QSA assessment + quarterly ASV scans
Level 2	1-6 million transactions/year	Annual SAQ + quarterly ASV scans
Level 3	20,000-1 million e-commerce transactions/year	Annual SAQ + quarterly ASV scans
Level 4	<20,000 e-commerce OR <1 million other transactions	Annual SAQ + quarterly ASV scans (may vary by acquirer)

🔧 Service Provider Levels

Service providers who store, process, or transmit cardholder data on behalf of merchants are also subject to PCI DSS.

Level 1 Service Providers:

• >300,000 transactions/year
• Annual on-site QSA assessment
• Quarterly ASV scans
• Quarterly internal scans

Level 2 Service Providers:

• <300,000 transactions/year
• Annual SAQ-D
• Quarterly ASV scans
• Quarterly internal scans

📝 Self-Assessment Questionnaire Types

Different SAQ types apply based on how you handle cardholder data.

SAQ A:Card-not-present merchants using fully outsourced payment processing (no electronic CHD storage)

SAQ A-EP:E-commerce merchants with website that affects payment page security

SAQ B:Merchants using imprint machines or standalone dial-out terminals only

SAQ B-IP:Merchants using IP-connected PTS POI terminals (no electronic CHD storage)

SAQ C:Merchants with payment application systems connected to the Internet

SAQ C-VT:Merchants using virtual payment terminals on isolated computers

SAQ D:All other merchants and all service providers (most comprehensive)

The 12 PCI DSS Requirements

PCI DSS is organized into 6 control objectives containing 12 requirements. Here's what each requirement entails.

🔒 Build and Maintain a Secure Network and Systems

Requirement 1: Install and Maintain Network Security Controls

Install and maintain firewalls and other network security controls to protect cardholder data. Define rules that control all traffic into and out of the CDE.

• Implement firewall and router configurations
• Restrict connections between untrusted networks and the CDE
• Prohibit direct public access to the CDE

Requirement 2: Apply Secure Configurations to All System Components

Do not use vendor-supplied defaults for system passwords and other security parameters. Harden all systems before deployment.

• Change all vendor-supplied defaults
• Develop configuration standards for all system components
• Encrypt non-console administrative access

🛡️ Protect Cardholder Data

Requirement 3: Protect Stored Account Data

Protect stored cardholder data through encryption, truncation, masking, and hashing. Minimize data retention.

• Keep cardholder data storage to a minimum
• Do not store sensitive authentication data after authorization
• Mask PAN when displayed (first 6 and last 4 maximum)
• Render PAN unreadable anywhere it is stored

Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission

Encrypt transmission of cardholder data across open, public networks using strong cryptography.

• Use strong cryptography protocols (TLS 1.2+)
• Never send unprotected PANs via email, IM, SMS, etc.
• Document all protocols and configurations

🔍 Maintain a Vulnerability Management Program

Requirement 5: Protect All Systems and Networks from Malicious Software

Deploy anti-malware solutions on all systems commonly affected by malicious software.

• Install anti-malware on all systems
• Ensure anti-malware is kept current
• Generate audit logs for anti-malware activities

Requirement 6: Develop and Maintain Secure Systems and Software

Develop software securely and protect all systems from known vulnerabilities by installing applicable security patches.

• Install critical security patches within one month
• Develop applications based on secure coding guidelines
• Protect public-facing web applications from attacks

🔐 Implement Strong Access Control Measures

Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know

Limit access to system components and cardholder data to only those individuals whose job requires such access.

• Define access needs for each role
• Restrict access to privileged user IDs to least privileges necessary
• Document and review access rights regularly

Requirement 8: Identify Users and Authenticate Access to System Components

Identify all users with a unique ID and use strong authentication to verify identity before granting access.

• Assign unique ID to each person with access
• Use MFA for all access into the CDE
• Implement strong password policies (12+ characters)
• Lock out users after 10 invalid login attempts

Requirement 9: Restrict Physical Access to Cardholder Data

Restrict physical access to cardholder data and systems that store, process, or transmit cardholder data.

• Use appropriate facility entry controls
• Distinguish between onsite personnel and visitors
• Physically secure all media containing cardholder data

📊 Regularly Monitor and Test Networks

Requirement 10: Log and Monitor All Access to System Components and Cardholder Data

Implement logging mechanisms to track user activities and automate log analysis.

• Log all access to cardholder data
• Implement automated audit trails
• Synchronize all critical system clocks
• Review logs daily using automated tools

Requirement 11: Test Security of Systems and Networks Regularly

Regularly test security systems and processes to ensure they continue to reflect a changing environment.

• Run quarterly ASV vulnerability scans
• Conduct internal vulnerability scans quarterly
• Perform penetration testing annually
• Deploy intrusion detection/prevention
• Use file integrity monitoring

📜 Maintain an Information Security Policy

Requirement 12: Support Information Security with Organizational Policies and Programs

Maintain a policy that addresses information security for all personnel and establish a formal security awareness program.

• Establish and maintain a comprehensive security policy
• Implement a formal security awareness program
• Screen personnel prior to hire
• Maintain an incident response plan
• Service providers must acknowledge responsibility for cardholder data security

What's New in PCI DSS 4.0?

PCI DSS 4.0 represents the most significant update to the standard in years. Here are the major changes you need to know.

🆕 Major Changes in PCI DSS 4.0

Customized Approach:

Organizations can now use alternative methods to meet security objectives if they demonstrate equivalent protection.

• More flexibility in implementation
• Requires documented targeted risk analysis
• Assessor must validate effectiveness

Authentication Changes:

• MFA required for all access to CDE
• Minimum 12-character passwords (up from 7)
• Stronger phishing-resistant authentication
• Enhanced account recovery requirements

📅 PCI DSS 4.0 Timeline

March 2022PCI DSS 4.0 released

March 2024PCI DSS 3.2.1 retired, 4.0 mandatory

March 2025Future-dated requirements become mandatory

Need Help with PCI DSS Compliance?

LowerPlane automates PCI DSS compliance with continuous monitoring, evidence collection, and audit-ready documentation. See how we can help you achieve compliance faster.

Get a Demo

Key Takeaways

1
PCI DSS applies to everyone: Any organization that stores, processes, or transmits cardholder data must comply.
2
Know your level: Your transaction volume determines whether you need a QSA assessment or can self-assess.
3
Focus on scope reduction: The less cardholder data you touch, the simpler compliance becomes.
4
PCI DSS 4.0 is here: Prepare for new requirements including stronger authentication and the customized approach option.
5
Continuous compliance: PCI DSS isn't a one-time checklist—it requires ongoing monitoring, testing, and improvement.

Frequently Asked Questions

Is PCI DSS a legal requirement?

PCI DSS is not a law, but it is a contractual requirement enforced by the payment card brands through merchant agreements. Non-compliance can result in fines, increased transaction fees, and loss of the ability to accept credit cards. Some jurisdictions have also incorporated PCI DSS into data protection laws.

What are the penalties for PCI DSS non-compliance?

Penalties vary but can include: monthly fines of $5,000 to $100,000, increased transaction fees, liability for fraud losses, mandatory forensic investigations (at your cost), and ultimately loss of the ability to accept credit card payments. The cost of a data breach typically far exceeds compliance costs.

Can I outsource PCI DSS compliance?

You can outsource payment processing to a PCI-compliant service provider, which can significantly reduce your compliance scope. However, you cannot outsource accountability—you remain responsible for ensuring compliance and managing service provider relationships. Using a PCI-compliant payment processor allows many merchants to qualify for simplified SAQ A validation.

How often do I need to validate PCI DSS compliance?

PCI DSS compliance must be validated annually through either an on-site QSA assessment (Level 1) or Self-Assessment Questionnaire (Levels 2-4). Additionally, you must conduct quarterly external vulnerability scans by an Approved Scanning Vendor (ASV) and maintain continuous compliance throughout the year.

PCI DSS

PCI DSS 4.0 Changes: What You Need to Know

Major updates in PCI DSS 4.0 and how to prepare.

SOC 2

What is SOC 2 Compliance?

Complete guide to SOC 2 certification.

Compliance

Startup Compliance Guide

Which frameworks do startups need?

Stay Updated on Compliance

Get the latest PCI DSS updates, compliance guides, and security best practices delivered to your inbox.