Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements to protect cardholder data such as cardholders' primary account numbers (PANs), names, expiration dates, service codes, and other sensitive cardholder information throughout its lifecycle.
The PCI DSS applies to any merchant, service provider or other organization that stores, processes or transmits cardholder data, and to any organization connected to systems that store, process or transmit cardholder data. These systems are referred to as the cardholder data environment, or CDE. The PCI DSS outlines detailed security controls, processes and testing that organizations should implement to protect cardholder data. These security measures cover a wide range of functional areas across the cardholder data environment including e-commerce transactions, point-of-sale systems, wireless hotspots, mobile devices, cloud computing and paper-based storage systems.
PCI DSS compliance requires annual reporting by merchants and service providers, and additional reporting following significant changes to the CDE. Validating compliance also involves continuous assessment of an organization’s security posture, and continuous remediation to address any gaps in security policy, technology or procedures.
Organizations and service providers may be assessed by a Qualified Security Assessor (QSA) who issues an Attestation of Compliance (AOC) upon completion of a successful assessment.
The first version of the PCI DSS was released in 2004 by payment card brands American Express, Discover, JCB International, MasterCard, and Visa, who collectively formed the Payment Card Industry Security Standards Council (PCI SSC) to manage the technical requirements of the standard. In 2020, the PCI SSC added the UnionPay bankcard association. The PCI DSS is periodically updated to address the latest cybersecurity threats to payment card data such as identity theft, fraud and data breaches.
For more information, see https://www.pcisecuritystandards.org/.