The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements to protect cardholder data—cardholders’ primary account numbers (PANs), names, expiration dates, service codes—and other sensitive cardholder information throughout its lifecycle.
The PCI DSS applies to any merchant, service provider or other organization that stores, processes or transmits cardholder data, and to any organization connected to systems that store, process or transmit cardholder data. (These systems are referred to as the cardholder data environment, or CDE.) The PCI DSS outlines detailed security controls, processes and testing that organizations should implement to protect cardholder data. These security measures cover a wide range of functional areas across the cardholder data environment including ecommerce transactions, point-of-sale systems, wireless hotspots, mobile devices, cloud computing and paper-based storage systems.
PCI DSS compliance requires annual reporting by merchants and service providers, and additional reporting following significant changes to the CDE. Validating compliance also involves continuous assessment of an organization’s security posture, and continuous remediation to address any gaps in security policy, technology or procedures.
Organizations and service providers may be assessed by a Qualified Security Assessor (QSA) who issues an Attestation of Compliance (AOC) upon completion of a successful assessment.
The first version of the PCI DSS was released in 2004 by payment card brands American Express, Discover, JCB International, MasterCard, and Visa, who collectively formed the Payment Card Industry Security Standards Council (PCI SSC) to manage the technical requirements of the standard. In 2020, the PCI SSC added the UnionPay bankcard association. The PCI DSS is periodically updated to address the latest cybersecurity threats to payment card data such as identity theft, fraud and data breaches.
Go under the hood to learn how PCI DSS compliance works on IBM Cloud.
IBM is a Level 1 Service Provider for PCI DSS, and clients can build PCI-DSS-compliant environments and applications using IBM Cloud.
Many IBM Cloud platform services have a PCI DSS Attestation of Compliance (AOC) issued by a Qualified Security Assessor (QSA).
Contact IBM to request a PCI DSS AOC for any service listed below
- IBM Cloud Activity Tracker (via Mezmo)
- IBM Cloud App ID
- IBM Cloud Backup
- IBM Cloud Backup for VPC
- IBM Cloud Bare Metal
- IBM Cloud Bare Metal Servers for VPC
- IBM Cloud Block Storage
- IBM Cloud Block Storage for Virtual Private Cloud
- IBM Cloud Block Storage Snapshots for VPC
- IBM Cloud Container Registry
- IBM Cloud Databases for DataStax
- IBM Cloud Databases for Elasticsearch
- IBM Cloud Databases for EnterpriseDB
- IBM Cloud Databases for etcd
- IBM Cloud Databases for MongoDB
- IBM Cloud Databases for MySQL
- IBM Cloud Databases for PostgreSQL
- IBM Cloud Databases for Redis
- IBM Cloud Direct Link
- IBM Cloud Direct Link Connect (2.0)
- IBM Cloud Direct Link Dedicated (2.0)
- IBM Cloud DNS Services
- IBM Cloud File Storage
- IBM Cloud File Storage for Virtual Private Cloud
- IBM Cloud Flow Logs for VPC
- IBM Cloud for VMware Solutions (Dedicated)
- IBM Cloud Hardware Security Module
- IBM Cloud Internet Services Enterprise Package (via Cloudflare)
- IBM Cloud Internet Services Enterprise Usage (via Cloudflare)
- IBM Cloud Internet Services Standard (via Cloudflare)
- IBM Cloud Kubernetes Service and Red Hat® OpenShift® on IBM Cloud
- IBM Cloud Load Balancer
- IBM Cloud Messages for RabbitMQ
- IBM Cloud Object Storage
- IBM Cloud Object Storage (IaaS)
- IBM Cloud Platform - Core Services - IBM Cloud Identity and Access Management
- IBM Cloud Secrets Manager
- IBM Cloud Transit Gateway
- IBM Cloud Virtual Private Cloud
- IBM Cloud Virtual Private Cloud - Load Balancer for VPC: Application Load Balancer and Network Load Balancer
- IBM Cloud Virtual Private Cloud – VPN for VPC : Site-to-Site Gateway and Client-to-Site Server
- IBM Cloud Virtual Private Endpoint for VPC
- IBM Cloud Virtual Servers
- IBM Cloud Virtual Server for VPC
- IBM Cloud Virtual Server for VPC - Auto Scale for VPC
- IBM Cloud Virtual Server for VPC - Dedicated Host for VPC
- IBM Cloudant for IBM Cloud
- IBM Event Streams for IBM Cloud Enterprise
- IBM Event Streams for IBM Cloud Standard
- IBM Key Protect for IBM Cloud
- IBM Log Analysis (via Mezmo)
- IBM Power Virtual Server on IBM Cloud
- IPSec VPN
- SAP-Certified Cloud Infrastructure
The most recent version of the PCI DSS (v4.0) was released in March 2022. Organizations must implement these 12 requirements by 31 March 2025 to achieve compliance.
IBM Cloud offers following suite of services that will help you meet specific PCI DSS requirements and accelerate your compliance journey.
|
1. Install and maintain network security controls |
|---|
IBM Cloud Internet Services (CIS)
IBM Cloud Internet Services brings market-leading security and performance to your external web content and internet applications before they reach the cloud.
IBM Cloud Direct Link
The speed and reliability of IBM Cloud Direct Link helps enable you to extend your organization’s data center network —without touching the public internet.
IBM Cloud Gateway Appliances
Gateway appliances are devices that give you enhanced control over network traffic, let you accelerate your network’s performance, and give your network a security boost.
IBM Cloud Transit Gateway
IBM Cloud Transit Gateway helps you connect and manage your IBM Cloud Virtual Private Cloud (VPC) networks.
FortiGate Security Appliance
Deploy a pair of FortiGate Virtual Appliances to your environment, which can help you reduce risk by implementing critical security controls within your virtual infrastructure.
Hardware Firewall
An essential layer of security that is provisioned on demand without service interruptions.
|
2. Apply secure configurations to all system components |
|---|
FortiGate Security Appliance
Deploy a pair of FortiGate Virtual Appliances to your environment, which can help you reduce risk by implementing critical security controls within your virtual infrastructure.
Hardware Firewall
An essential layer of security that is provisioned on demand without service interruptions.
IBM Security and Compliance Center
An integrated solutions suite to define policy as code, implement controls for secure data and workload deployments, and assess security and compliance posture.
IBM Security and Compliance Center - Workload Protection
Find and prioritize software vulnerabilities, detect and respond to threats, and manage configurations, permissions, and compliance from source to run.
IBM QRadar Suite
IBM Security® QRadar® Suite is a modernized threat detection and response solution designed to unify the security analyst experience and accelerate their speed across the full incident lifecycle.
|
3. Protect stored cardholder data |
|---|
IBM Key Protect for IBM Cloud
The IBM® Key Protect for IBM Cloud® service helps you provision and store encrypted keys for apps across IBM Cloud services, so you can see and manage data encryption and the entire key lifecycle from one central location.
IBM Security and Compliance Center - Data Security Broker - Manager
A security solution in the Security and Compliance Center suite providing centralized encryption policies and auditing of data across different data sources.
IBM Cloud Hyper Protect Virtual Servers
Fully managed confidential compute container runtime that enables the deployment of sensitive containerized workloads in a highly isolated environment with technical assurance.
IBM Cloud Hardware Security Module
Protects cryptographic infrastructure by more securely managing, processing and storing cryptographic keys inside a tamper-resistant hardware device.
IBM Security Guardium
Data security software in the IBM Security portfolio that uncovers vulnerabilities and protects sensitive on-premises and cloud data.
IBM Cloud Storage Services
Scalable, security-rich and cost-effective home for your data while supporting traditional and cloud-native workloads. Provision and deploy services such as access object, block and file storage.
IBM Cloud Database Services
Free developers and IT from complex and time-consuming tasks including deployment & updates of infrastructure and database software, infrastructure operations, and backup.
|
4. Protect cardholder data with strong cryptography during transmission over open, public networks |
|---|
IBM Cloud Direct Link
The speed and reliability of IBM Cloud Direct Link helps enable you to extend your organization’s data center network —without touching the public internet.
IBM Cloud Transit Gateway
IBM Cloud Transit Gateway helps you connect and manage your IBM Cloud Virtual Private Cloud (VPC) networks.
IBM Key Protect for IBM Cloud
The IBM® Key Protect for IBM Cloud® service helps you provision and store encrypted keys for apps across IBM Cloud services, so you can see and manage data encryption and the entire key lifecycle from one central location.
|
5. Protect all systems and networks from malicious software |
|---|
IBM Cloud Internet Services (CIS)
IBM Cloud Internet Services brings market-leading security and performance to your external web content and internet applications before they reach the cloud.
IBM Cloud Direct Link
The speed and reliability of IBM Cloud Direct Link helps enable you to extend your organization’s data center network —without touching the public internet.
FortiGate Security Appliance
Deploy a pair of FortiGate Virtual Appliances to your environment, which can help you reduce risk by implementing critical security controls within your virtual infrastructure.
IBM QRadar Suite
IBM Security® QRadar® Suite is a modernized threat detection and response solution designed to unify the security analyst experience and accelerate their speed across the full incident lifecycle.
IBM Security Guardium
Data security software in the IBM Security portfolio that uncovers vulnerabilities and protects sensitive on-premises and cloud data.
|
6. Develop and maintain secure systems and software |
|---|
IBM Cloud Internet Services (CIS)
IBM Cloud Internet Services brings market-leading security and performance to your external web content and internet applications before they reach the cloud.
IBM Security and Compliance Center - Workload Protection
Find and prioritize software vulnerabilities, detect and respond to threats, and manage configurations, permissions, and compliance from source to run.
IBM Security Guardium
Data security software in the IBM Security portfolio that uncovers vulnerabilities and protects sensitive on-premises and cloud data.
IBM Cloud Container Registry
Store and distribute container images in a fully managed private registry. Push private images to conveniently run them in the IBM Cloud® Kubernetes Service and other runtime environments.
IBM Cloud Continuous Delivery
Embrace enterprise-ready DevOps. Create secure toolchains that support your app delivery tasks. Automate builds, tests, deployments and more.
IBM Cloud Kubernetes Service
Deploy secure, highly available clusters in a native Kubernetes experience.
|
7. Restrict access to systems components and cardholder data by business need to know |
|---|
IBM Cloud App ID
Easily add authentication to web and mobile apps. Enhance your apps with advanced security capabilities like multifactor authentication and single sign-on.
IBM Cloud Identity and Access Management (IAM)
IBM Cloud Identity and Access Management service securely authenticates users and controls access to all resources consistently in the IBM Cloud Platform.
|
8. Identify users and authenticate access to system components |
|---|
IBM Cloud App ID
Easily add authentication to web and mobile apps. Enhance your apps with advanced security capabilities like multifactor authentication and single sign-on.
IBM Cloud Secrets Manager
Create secrets dynamically and lease them to applications while you control access from a single location. Built on open source HashiCorp Vault.
IBM Cloud Identity and Access Management (IAM)
IBM Cloud Identity and Access Management service securely authenticates users and controls access to all resources consistently in the IBM Cloud Platform.
|
9. Restrict physical access to cardholder data |
|---|
IBM Cloud adopts several measures for increased physical security:
- Physical security of the data center perimeter
- Entry and exit access controls and logging
- Secure offices, rooms, and facilities
- Protection against external and environmental threats
- Redundancy of power and network equipment
- Secure disposal of equipment during de-provisioning
- Corporate HR business policy and security for onboarding, training, and offboarding
|
10. Log and monitor all access to system components and cardholder data |
|---|
IBM Cloud Flow Logs for VPC
Enable the collection, storage, and presentation of information about the Internet Protocol (IP) traffic going to and from network interfaces within your Virtual Private Cloud (VPC).
IBM QRadar Suite
IBM Security® QRadar® Suite is a modernized threat detection and response solution designed to unify the security analyst experience and accelerate their speed across the full incident lifecycle.
IBM Cloud Identity and Access Management (IAM)
IBM Cloud Identity and Access Management service securely authenticates users and controls access to all resources consistently in the IBM Cloud Platform.
IBM Security Guardium
Data security software in the IBM Security portfolio that uncovers vulnerabilities and protects sensitive on-premises and cloud data.
IBM Cloud Logs
Gain logs observability with IBM Cloud Logs to help improve infrastructure and app performance.
IBM Cloud Monitoring
Cloud monitoring and troubleshooting for infrastructure, cloud services and applications.
|
11. Test security of systems and networks regularly |
|---|
IBM Security and Compliance Center
An integrated solutions suite to define policy as code, implement controls for secure data and workload deployments, and assess security and compliance posture.
IBM Security and Compliance Center - Workload Protection
Find and prioritize software vulnerabilities, detect and respond to threats, and manage configurations, permissions, and compliance from source to run.
IBM QRadar Suite
IBM Security® QRadar® Suite is a modernized threat detection and response solution designed to unify the security analyst experience and accelerate their speed across the full incident lifecycle.
IBM Security Guardium
Data security software in the IBM Security portfolio that uncovers vulnerabilities and protects sensitive on-premises and cloud data.
|
12. Support information security with organizational policies and programs |
|---|
IBM Security and Compliance Center
An integrated solutions suite to define policy as code, implement controls for secure data and workload deployments, and assess security and compliance posture.
IBM Security and Compliance Center - Workload Protection
Find and prioritize software vulnerabilities, detect and respond to threats, and manage configurations, permissions, and compliance from source to run.
IBM Cloud Logs
Gain logs observability with IBM Cloud Logs to help improve infrastructure and app performance.
IBM Cloud Monitoring
Cloud monitoring and troubleshooting for infrastructure, cloud services and applications.
Frequently asked questions
The most recent version of the PCI DSS (v4.0) was released in March 2022. It lists these 12 requirements for protecting cardholder data. Organizations must implement these requirements by 31 March 2025 to achieve compliance.
Install and maintain network security controls
Network security controls (NSCs) may include firewalls, virtual devices, container systems, cloud security systems and other technologies that control access to systems and data.
Apply secure configurations to all system components
Default passwords and other default system settings supplied by vendors should not be used as they are vulnerable to cyberattacks.
Protect stored cardholder data
Unless it is required for business needs, organizations should not store cardholder data. If it is stored, it must be rendered unreadable through encryption, masking or other means.
Protect cardholder data with strong cryptography during transmission over open, public networks
To prevent hackers from accessing sensitive information such as card numbers and personally identifiable information (PII), data should be encrypted before and/or during public network transmissions.
Protect all systems and networks from malicious software
Maintain anti-virus software and other defenses against malware such as spyware, keyloggers, ransomware, scripts and other viruses.
Develop and maintain secure systems and software
By applying the latest security patches and following secure practices when developing apps, organizations can help minimize the risk of data breaches.
Restrict access to systems components and cardholder data by business need to know
Strong access control measures should ensure authorized users see only the cardholder information that is required to perform their jobs.
Identify users and authenticate access to system components
A unique ID with traceable authentication data should be assigned to every person with computer access to sensitive systems and data.
Restrict physical access to cardholder data
To prevent unauthorized persons from removing hardware or hard copies containing cardholder data, physical access to systems should be restricted.
Log and monitor all access to system components and cardholder data
The ability to automate logging and monitoring of sensitive systems and data can help detect suspicious activity and support forensic analysis following a breach.
Test security of systems and networks regularly
Because cybercriminals continually seek new vulnerabilities in changing IT environments, penetration testing and vulnerability scans should be performed regularly.
Support information security with organizational policies and programs
Organizations should create a comprehensive information security policy that outlines procedures for identifying and managing risks, ongoing security awareness education, and compliance with the PCI DSS.
Organizations governed by the PCI DSS must document compliance every year. Larger organizations are required to submit a detailed Report on Compliance (ROC) and Attestation of Compliance (AOC). Both the ROC and AOC documents must be completed and signed by a Qualified Security Assessor (QSA) who has been certified by the PCI Standard Security Council. Small and mid-sized organizations can complete a Self-Assessment Questionnaire (SAQ) to validate compliance.
If an organization conducts transmission of cardholder data over the internet, it may also be required to implement vulnerability management to maintain a secure network. To achieve compliance, an Approved Scanning Vendor (ASV) that has been certified by the PCI SSC must perform a quarterly vulnerability scan to test network security.
The reporting requirements for the PCI DSS differ according to the number of transactions processed annually by an organization. There are four compliance levels.
Level 1
More than 6 million payment card transactions annually. Must submit a Report on Compliance completed by a Qualified Security Assessor. Must have an Approved Scanning Vendor perform a quarterly network vulnerability scan.
Level 2
One million to 6 million payment card transactions annually. Must complete a Self-Assessment Questionnaire and may have to perform quarterly network vulnerability scans.
Level 3
20,000 to 1 million payment card transactions annually. Must complete a Self-Assessment Questionnaire and may have to perform quarterly network vulnerability scans.
Level 4
Fewer than 20,000 annual card transactions. Must complete a Self-Assessment Questionnaire and may have to perform quarterly network vulnerability scans.
Although merchants and payment service providers are required to follow the PCI DSS, their compliance is not enforced by law, governments or even the PCI Security Standards Council. Instead, compliance is managed by credit card companies, such as Visa or MasterCard, and acquirers, which are banks or financial institutions that process card payments.
Once a year, organizations that process or store cardholder data must validate their adherence to the PCI DSS. If an organization outsources its payment processing, it still must affirm that credit card transactions are protected under the requirements of the PCI DSS standard.
Fines for PCI DSS non-compliance are set by the payment card brands, and negotiated between the brands, the merchant or service provider, and impacted banks or other financial institutions. The payment card brands do not publish fine or fee schedules, and typically do not make penalty information available to the public.
As a rule of thumb, fines for non-compliance can range from 5,000 to 10,000 USD during the first three months of non-compliance, to 50,000 to 100,000 USD per month after six months of non-compliance. In the event of a data breach, non-compliant merchants or service providers may be fined an additional 50 to 90 USD per customer up to a maximum of 500,000 USD.
Payment card brands can assess much higher fines at their discretion, and the final negotiated penalty for an organization’s PCI DSS non-compliance—particularly non-compliance that leads to a data breach—can surge to millions or hundreds of millions of dollars to cover the cost of investigations, government claims, class-action lawsuits and more.
In addition to incurring fines, non-compliant organizations may be prohibited from processing payment card transactions.
Protecting sensitive data
The consequences of a data breach involving cardholder data are severe. In addition to fines, legal penalties and reputational damage, organizations may suffer the loss of both current and potential customers. The requirements of PCI DSS help defend against the theft of sensitive data.
Increasing customer confidence
Because fraud and identity theft are frequently in the headlines, consumers may be reluctant to provide retailers with sensitive credit card information. PCI DSS compliance helps customers trust that their data is protected, allowing them to be more confident when making purchases.
Supporting broader regulatory compliance
Although PCI DSS is not a legal mandate, the security controls it puts into place can help organizations achieve compliance with government regulations. Portions of the PCI DSS are complementary to data protection laws such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Sarbanes Oxley Act (SOX), and the General Data Protection Regulation (GDPR).
Address unified security, compliance and risk visibility across hybrid multicloud environments.
Build scalable infrastructure at a lower cost, deploy new applications instantly, and scale up mission-critical and sensitive workloads based on demand—all within a security-rich platform.
Be better prepared for breaches by understanding their causes and the factors that increase or reduce costs. Learn from the experiences of more than 550 organizations that were hit by a data breach.
PII is any information that can be used to uncover that individual's identity, such as their social security number, full name, or email address.
Network security is the field of cybersecurity focused on protecting computer networks from cyber threats.