Payment Card Industry Data Security Standard (PCI DSS)
Illustration showing a person interacting with a computer interface, behind which are various documents and a miniature skyscraper
What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements to protect cardholder data—cardholders’ primary account numbers (PANs), names, expiration dates, service codes—and other sensitive cardholder information throughout its lifecycle.

The PCI DSS applies to any merchant, service provider or other organization that stores, processes or transmits cardholder data, and to any organization connected to systems that store, process or transmit cardholder data. (These systems are referred to as the cardholder data environment, or CDE.) The PCI DSS outlines detailed security controls, processes and testing that organizations should implement to protect cardholder data. These security measures cover a wide range of functional areas across the cardholder data environment including ecommerce transactions, point-of-sale systems, wireless hotspots, mobile devices, cloud computing and paper-based storage systems.

PCI DSS compliance requires annual reporting by merchants and service providers, and additional reporting following significant changes to the CDE. Validating compliance also involves continuous assessment of an organization’s security posture, and continuous remediation to address any gaps in security policy, technology or procedures.

Organizations and service providers may be assessed by a Qualified Security Assessor (QSA) who issues an Attestation of Compliance (AOC) upon completion of a successful assessment. 

The first version of the PCI DSS was released in 2004 by payment card brands American Express, Discover, JCB International, MasterCard, and Visa, who collectively formed the Payment Card Industry Security Standards Council (PCI SSC) to manage the technical requirements of the standard. In 2020, the PCI SSC added the UnionPay bankcard association. The PCI DSS is periodically updated to address the latest cybersecurity threats to payment card data such as identity theft, fraud and data breaches.

IBM Cloud PCI DSS Guidance

Go under the hood to learn how PCI DSS compliance works on IBM Cloud.

Related content

IBM Cloud renews and expands PCI DSS compliance for virtual private cloud (VPC) offerings

IBM Cloud and PCI DSS

IBM is a Level 1 Service Provider for PCI DSS, and clients can build PCI-DSS-compliant environments and applications using IBM Cloud.

Many IBM Cloud platform services have a PCI DSS Attestation of Compliance (AOC) issued by a Qualified Security Assessor (QSA).

Contact IBM to request a PCI DSS AOC for any service listed below

    1. IBM Cloud Activity Tracker (via Mezmo)
    2. IBM Cloud App ID
    3. IBM Cloud Backup
    4. IBM Cloud Backup for VPC
    5. IBM Cloud Bare Metal
    6. IBM Cloud Bare Metal Servers for VPC
    7. IBM Cloud Block Storage
    8. IBM Cloud Block Storage for Virtual Private Cloud
    9. IBM Cloud Block Storage Snapshots for VPC
    10. IBM Cloud Container Registry
    11. IBM Cloud Databases for DataStax
    12. IBM Cloud Databases for Elasticsearch
    13. IBM Cloud Databases for EnterpriseDB
    14. IBM Cloud Databases for etcd
    15. IBM Cloud Databases for MongoDB
    16. IBM Cloud Databases for MySQL
    17. IBM Cloud Databases for PostgreSQL
    18. IBM Cloud Databases for Redis
    19. IBM Cloud Direct Link
    20. IBM Cloud Direct Link Connect (2.0)
    21. IBM Cloud Direct Link Dedicated (2.0)
    22. IBM Cloud DNS Services
    23. IBM Cloud File Storage
    24. IBM Cloud File Storage for Virtual Private Cloud
    25. IBM Cloud Flow Logs for VPC
    26. IBM Cloud for VMware Solutions (Dedicated)
    27. IBM Cloud Hardware Security Module
    28. IBM Cloud Internet Services Enterprise Package (via Cloudflare)
    29. IBM Cloud Internet Services Enterprise Usage (via Cloudflare)
    30. IBM Cloud Internet Services Standard (via Cloudflare)
    31. IBM Cloud Kubernetes Service and Red Hat® OpenShift® on IBM Cloud
    32. IBM Cloud Load Balancer
    33. IBM Cloud Messages for RabbitMQ
    34. IBM Cloud Object Storage
    35. IBM Cloud Object Storage (IaaS)
    36. IBM Cloud Platform - Core Services - IBM Cloud Identity and Access Management
    37. IBM Cloud Secrets Manager
    38. IBM Cloud Transit Gateway
    39. IBM Cloud Virtual Private Cloud
    40. IBM Cloud Virtual Private Cloud - Load Balancer for VPC: Application Load Balancer and Network Load Balancer
    41. IBM Cloud Virtual Private Cloud – VPN for VPC : Site-to-Site Gateway and Client-to-Site Server
    42. IBM Cloud Virtual Private Endpoint for VPC
    43. IBM Cloud Virtual Servers
    44. IBM Cloud Virtual Server for VPC
    45. IBM Cloud Virtual Server for VPC - Auto Scale for VPC
    46. IBM Cloud Virtual Server for VPC - Dedicated Host for VPC
    47. IBM Cloudant for IBM Cloud
    48. IBM Event Streams for IBM Cloud Enterprise
    49. IBM Event Streams for IBM Cloud Standard
    50. IBM Key Protect for IBM Cloud
    51. IBM Log Analysis (via Mezmo)
    52. IBM Power Virtual Server on IBM Cloud
    53. IPSec VPN
    54. SAP-Certified Cloud Infrastructure
    Frequently asked questions
    What are the PCI DSS compliance requirements?

    The most recent version of the PCI DSS (v4.0) was released in March 2022. It lists these 12 requirements for protecting cardholder data. Organizations must implement these requirements by 31 March 2025 to achieve compliance.

    Install and maintain network security controls

    Network security controls (NSCs) may include firewalls, virtual devices, container systems, cloud security systems and other technologies that control access to systems and data.

    Apply secure configurations to all system components

    Default passwords and other default system settings supplied by vendors should not be used as they are vulnerable to cyberattacks.

    Protect stored cardholder data

    Unless it is required for business needs, organizations should not store cardholder data. If it is stored, it must be rendered unreadable through encryption, masking or other means.

    Protect cardholder data with strong cryptography during transmission over open, public networks

    To prevent hackers from accessing sensitive information such as card numbers and personally identifiable information (PII), data should be encrypted before and/or during public network transmissions.

    Protect all systems and networks from malicious software

    Maintain anti-virus software and other defenses against malware such as spyware, keyloggers, ransomware, scripts and other viruses.

    Develop and maintain secure systems and software

    By applying the latest security patches and following secure practices when developing apps, organizations can help minimize the risk of data breaches.

    Restrict access to systems components and cardholder data by business need to know

    Strong access control measures should ensure authorized users see only the cardholder information that is required to perform their jobs. 

    Identify users and authenticate access to system components

    A unique ID with traceable authentication data should be assigned to every person with computer access to sensitive systems and data.

    Restrict physical access to cardholder data

    To prevent unauthorized persons from removing hardware or hard copies containing cardholder data, physical access to systems should be restricted.

    Log and monitor all access to system components and cardholder data

    The ability to automate logging and monitoring of sensitive systems and data can help detect suspicious activity and support forensic analysis following a breach.

    Test security of systems and networks regularly

    Because cybercriminals continually seek new vulnerabilities in changing IT environments, penetration testing and vulnerability scans should be performed regularly.

    Support information security with organizational policies and programs

    Organizations should create a comprehensive information security policy that outlines procedures for identifying and managing risks, ongoing security awareness education, and compliance with the PCI DSS.

    What are the PCI DSS reporting and documentation requirements?

    Organizations governed by the PCI DSS must document compliance every year. Larger organizations are required to submit a detailed Report on Compliance (ROC) and Attestation of Compliance (AOC). Both the ROC and AOC documents must be completed and signed by a Qualified Security Assessor (QSA) who has been certified by the PCI Standard Security Council. Small and mid-sized organizations can complete a Self-Assessment Questionnaire (SAQ) to validate compliance.

    If an organization conducts transmission of cardholder data over the internet, it may also be required to implement vulnerability management to maintain a secure network. To achieve compliance, an Approved Scanning Vendor (ASV) that has been certified by the PCI SSC must perform a quarterly vulnerability scan to test network security.

    The reporting requirements for the PCI DSS differ according to the number of transactions processed annually by an organization. There are four compliance levels.

    Level 1

    More than 6 million payment card transactions annually. Must submit a Report on Compliance completed by a Qualified Security Assessor. Must have an Approved Scanning Vendor perform a quarterly network vulnerability scan.

    Level 2

    One million to 6 million payment card transactions annually. Must complete a Self-Assessment Questionnaire and may have to perform quarterly network vulnerability scans.

    Level 3

    20,000 to 1 million payment card transactions annually. Must complete a Self-Assessment Questionnaire and may have to perform quarterly network vulnerability scans.

    Level 4

    Fewer than 20,000 annual card transactions. Must complete a Self-Assessment Questionnaire and may have to perform quarterly network vulnerability scans.

    How is PCI DSS enforced?

    Although merchants and payment service providers are required to follow the PCI DSS, their compliance is not enforced by law, governments or even the PCI Security Standards Council. Instead, compliance is managed by credit card companies, such as Visa or MasterCard, and acquirers, which are banks or financial institutions that process card payments.

    Once a year, organizations that process or store cardholder data must validate their adherence to the PCI DSS. If an organization outsources its payment processing, it still must affirm that credit card transactions are protected under the requirements of the PCI DSS standard.

    What are the penalties for non-compliance?

    Fines for PCI DSS non-compliance are set by the payment card brands, and negotiated between the brands, the merchant or service provider, and impacted banks or other financial institutions. The payment card brands do not publish fine or fee schedules, and typically do not make penalty information available to the public.

    As a rule of thumb, fines for non-compliance can range from 5,000 to 10,000 USD during the first three months of non-compliance, to 50,000 to 100,000 USD per month after six months of non-compliance. In the event of a data breach, non-compliant merchants or service providers may be fined an additional 50 to 90 USD per customer up to a maximum of 500,000 USD.

    Payment card brands can assess much higher fines at their discretion, and the final negotiated penalty for an organization’s PCI DSS non-compliance—particularly non-compliance that leads to a data breach—can surge to millions or hundreds of millions of dollars to cover the cost of investigations, government claims, class-action lawsuits and more.

    In addition to incurring fines, non-compliant organizations may be prohibited from processing payment card transactions.

    What are the benefits of PCI DSS compliance?
    Protecting sensitive data

    The consequences of a data breach involving cardholder data are severe. In addition to fines, legal penalties and reputational damage, organizations may suffer the loss of both current and potential customers. The requirements of PCI DSS help defend against the theft of sensitive data.

    Increasing customer confidence

    Because fraud and identity theft are frequently in the headlines, consumers may be reluctant to provide retailers with sensitive credit card information. PCI DSS compliance helps customers trust that their data is protected, allowing them to be more confident when making purchases.

    Supporting broader regulatory compliance

    Although PCI DSS is not a legal mandate, the security controls it puts into place can help organizations achieve compliance with government regulations. Portions of the PCI DSS are complementary to data protection laws such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Sarbanes Oxley Act (SOX), and the General Data Protection Regulation (GDPR).

    Related solutions
    IBM Security® Guardium®

    Adapt to a changing threat environment with complete visibility, simplified compliance and protection throughout the data security lifecycle.

    Explore Guardium
    IBM Cloud solutions

    Build scalable infrastructure at a lower cost, deploy new applications instantly, and scale up mission-critical and sensitive workloads based on demand—all within a security-rich platform.

    Explore the solutions
    Resources Cost of a Data Breach 2023

    Be better prepared for breaches by understanding their causes and the factors that increase or reduce costs. Learn from the experiences of more than 550 organizations that were hit by a data breach.

    What is personally identifiable information (PII)?

    PII is any information that can be used to uncover that individual's identity, such as their social security number, full name, or email address.

    What is network security?

    Network security is the field of cybersecurity focused on protecting computer networks from cyber threats.

    Take the next step

    Questions about a compliance program? Need a protected compliance report? We can help.

    See more compliance programs