PCI DSS

PCI DSS was created by the Payment Card Industry Security Standards Council (PCI SSC), founded by Visa, MasterCard, American Express, Discover, and JCB. The standard applies to any organization that stores, processes, or transmits cardholder data, regardless of size or transaction volume.

The standard is organized into six major objectives and twelve core requirements. These cover areas such as building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy.

Compliance levels are determined by the volume of transactions an organization processes annually. Level 1 merchants, handling over six million transactions per year, must undergo annual on-site assessments by a Qualified Security Assessor (QSA). Smaller merchants may complete a Self-Assessment Questionnaire (SAQ). Non-compliance can result in significant fines, increased transaction fees, and the potential loss of the ability to process credit card payments.

PCI DSS version 4.0, released in March 2022, introduced a more flexible approach to meeting security objectives, allowing organizations to implement customized controls that meet the intent of each requirement while adapting to their specific environment and risk profile.