PCI Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) defines baseline technical and operational requirements to protect payment account data. It applies to all entities that store, process, or transmit cardholder data and/or sensitive authentication data, or can impact their security.

PCI DSS was created in 2004 by consolidating five different security programs from major card brands (Visa, Mastercard, American Express, Discover, and JCB) to address interoperability problems and ensure consistent security measures across the payment industry.

Core Requirements Structure

PCI DSS organizes its twelve requirements into six control objectives:

Control Objective Requirements Purpose
Build and maintain secure networks 1-2 Install network security controls and secure system configurations
Protect cardholder data 3-4 Protect stored account data and encrypt transmission over public networks
Maintain vulnerability management 5-6 Protect against malware and develop secure systems
Implement access controls 7-8 Restrict access by business need and authenticate users
Monitor and test networks 9-11 Restrict physical access, log activity, and test security regularly
Maintain information security policy 12 Support information security with organizational policies

Compliance Validation

Compliance validation depends on merchant transaction volume levels:

  • Level 1: Over 6 million transactions annually - requires Report on Compliance (ROC) by Qualified Security Assessor (QSA)
  • Level 2: 1-6 million transactions - QSA assessment or Self-Assessment Questionnaire (SAQ)
  • Level 3: 20,000-1 million transactions - SAQ and quarterly network scans
  • Level 4: Under 20,000 transactions - SAQ (requirements set by acquirer)

Current Version

The current standard is PCI DSS v4.0.1 (June 2024), which introduced enhanced security requirements including mandatory multi-factor authentication, increased flexibility for demonstrating security, and updated firewall terminology to address modern threats.

Quality Attributes Required or Emphasized

Attribute Relevance in PCI-DSS  
Security Core objective: prevent unauthorized disclosure, alteration, and misuse of payment account data across people, process, and technology  
Confidentiality Encryption and key management protect stored data; strong cryptography protects data in transit  
Integrity Secure configurations, change controls, code security, and monitoring reduce risk of unauthorized or accidental modification  
Availability Indirectly supported via hardening, malware protection, logging/monitoring, and testing that reduce outages due to security incidents  
Access Control Need-to-know access, least privilege, strong authentication (including MFA), and session management  
Authenticity User identification and robust authentication to ensure actions are attributable to legitimate identities  
Accountability Detailed logging, monitoring, and review of security events and access to cardholder data  
Compliance Demonstrable conformance through assessments (QSA, SAQ) and brand/acquirer validation programs  
Non-repudiation Detailed audit trails to prevent denial of payment transactions and security events  
Vulnerability Management Regular vulnerability scanning and security testing requirements  

References