Payment Card Industry Data Security Standard

Who is PCI DSS For?

PCI DSS applies to any organization, regardless of size or number of transactions, that handles credit card information. This includes:

  • Merchants: Retailers, online businesses, and any entity that accepts credit card payments.
  • Service Providers: Companies that process, store, or transmit cardholder data on behalf of merchants, such as payment processors and third-party service providers.
  • Financial Institutions: Banks and other entities involved in issuing credit cards and processing transactions.
  • Point-of-Sale (POS) Vendors: Providers of payment acceptance solutions and devices.
  • E-commerce Platforms: Online marketplaces and services facilitating credit card transactions.

 

PCI DSS Controls

PCI DSS consists of 12 requirements organized into six control objectives. These requirements are designed to build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy. The requirements are:

Build and Maintain a Secure Network and Systems

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

  • Requirement 3: Protect stored cardholder data.
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

  • Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.
  • Requirement 6: Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

  • Requirement 7: Restrict access to cardholder data by business need to know.
  • Requirement 8: Identify and authenticate access to system components.
  • Requirement 9: Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

  • Requirement 10: Track and monitor all access to network resources and cardholder data.
  • Requirement 11: Regularly test security systems and processes.

Maintain an Information Security Policy

  • Requirement 12: Maintain a policy that addresses information security for all personnel.

 

PCI DSS Compliance Levels

PCI DSS compliance levels are categorized based on the number of transactions an organization processes annually. These levels determine the validation requirements and type of assessment needed to demonstrate compliance:

Level 1

  • Description: Merchants processing over 6 million Visa, Mastercard, or Discover transactions annually.
  • Validation Requirements: Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA) or internal auditor if signed by an officer of the company, and quarterly network scans by an Approved Scanning Vendor (ASV).

Level 2

  • Description: Merchants processing 1 million to 6 million Visa, Mastercard, or Discover transactions annually.
  • Validation Requirements: Annual Self-Assessment Questionnaire (SAQ) and quarterly network scans by an ASV.

Level 3

  • Description: Merchants processing 20,000 to 1 million e-commerce Visa, Mastercard, or Discover transactions annually.
  • Validation Requirements: Annual SAQ and quarterly network scans by an ASV.

Level 4

  • Description: Merchants processing fewer than 20,000 e-commerce transactions annually or up to 1 million Visa, Mastercard, or Discover transactions annually.
  • Validation Requirements: Annual SAQ and quarterly network scans by an ASV.

Service providers have different levels of compliance based on their transaction volume and risk level. Each level includes specific validation requirements to ensure that all entities handling cardholder data adhere to the PCI DSS standards.