Skip to content

PCI-DSS

PCI-DSS

Payment Card Industry Data Security Standard

1. Overview: PCI-DSS, the international security standard every company handling card payment data must comply with

    flowchart LR
    A["Threats of card payment<br/>data breach and tampering —<br/>insecure environments"] --"Comply with 6 goals<br/>and 12 requirements"--> B["Build an environment that<br/>protects card data"] --"Level-based certification,<br/>periodic validation"--> C["Trust established<br/>across the payment ecosystem"]

    style A fill:#FFEBEE,stroke:#D32F2F,color:#000
    style B fill:#E3F2FD,stroke:#1976D2,color:#000
    style C fill:#E8F5E9,stroke:#388E3C,color:#000
  

Definition: An international security standard established by the PCI SSC (Payment Card Industry Security Standards Council), jointly founded by card brands such as Visa, Mastercard, and AmEx. It defines a framework of 6 goals and 12 security requirements that every organization handling, storing, or transmitting Cardholder Data (CHD) must comply with.

Characteristics: (Contractual obligation) Not a statutory requirement but a contractual obligation — non-compliance can result in termination of the card-brand agreement and fines. (Level 1–4 classification) Classified into Level 1–4 based on transaction volume, with different validation methods (QSA vs. SAQ). (v4.0 strengthening) PCI-DSS v4.0, published in 2022, emphasizes a goal-based approach, stronger multi-factor authentication, and a continuous security culture.


2. PCI-DSS’s core structure

A. The 6 goals and 12 requirements

    flowchart TD
    subgraph G1["Goal 1. Build and maintain a secure network"]
        direction LR
        R1["Req 1. Install and maintain firewalls"]
        R2["Req 2. Change vendor defaults"]
    end
    subgraph G2["Goal 2. Protect cardholder data"]
        direction LR
        R3["Req 3. Protect stored data"]
        R4["Req 4. Encrypt data in transit"]
    end
    subgraph G3["Goal 3. Vulnerability management program"]
        direction LR
        R5["Req 5. Protect against malicious software"]
        R6["Req 6. Develop and maintain secure systems"]
    end
    subgraph G4["Goal 4. Strong access control"]
        direction LR
        R7["Req 7. Restrict access on a need-to-know basis"]
        R8["Req 8. Manage system access authentication"]
        R9["Req 9. Restrict physical access to card data"]
    end
    subgraph G5["Goal 5. Monitoring and testing"]
        direction LR
        R10["Req 10. Track and monitor access logs"]
        R11["Req 11. Regularly test security systems and processes"]
    end
    subgraph G6["Goal 6. Maintain an information security policy"]
        R12["Req 12. Establish and maintain a security policy"]
    end

    style G1 fill:#E3F2FD,stroke:#1976D2,color:#1E3A5F
    style G2 fill:#F3E5F5,stroke:#7B1FA2,color:#4A148C
    style G3 fill:#FFF3E0,stroke:#F57C00,color:#E65100
    style G4 fill:#FFEBEE,stroke:#D32F2F,color:#B71C1C
    style G5 fill:#E8F5E9,stroke:#388E3C,color:#1B5E20
    style G6 fill:#E0F2F1,stroke:#00796B,color:#004D40
  

Key cardholder-data-protection requirements

RequirementCore controlKey implementation method
Req 3. Protect stored dataProhibit storing sensitive authentication data (SAD); mask/encrypt PANTokenization, AES-256 encryption
Req 4. Encrypt transmissionApply strong encryption when transmitting over public networksUse TLS 1.2+; prohibit SSL and early TLS
Req 7. Restrict accessApply least privilege on a need-to-know basisRBAC, separation of duties (SoD)
Req 8. Manage authenticationUnique ID per individual, apply MFAMulti-factor authentication (MFA), strengthened password policy
Req 10. Log monitoringCollect and retain logs of all card-data accessSIEM integration, retain logs for at least 1 year
Req 11. Vulnerability testingRegular penetration testing and vulnerability scanningQuarterly ASV scans, annual penetration test

B. Compliance levels and validation procedures

    flowchart TD
    subgraph R1[" "]
        direction LR
        L1["Level 1<br/>6M+ transactions/year<br/>On-site QSA assessment<br/>Submit ROC and AOC"]
        L2["Level 2<br/>1M–6M transactions/year<br/>SAQ self-assessment<br/>Quarterly ASV scans"]
    end
    subgraph R2[" "]
        direction LR
        L3["Level 3<br/>20K–1M transactions/year<br/>SAQ self-assessment<br/>Quarterly ASV scans"]
        L4["Level 4<br/>Under 20K transactions/year<br/>SAQ self-assessment<br/>Recommended-level scanning"]
    end

    style L1 fill:#FFEBEE,stroke:#D32F2F,color:#000
    style L2 fill:#FFF3E0,stroke:#F57C00,color:#000
    style L3 fill:#E3F2FD,stroke:#1976D2,color:#000
    style L4 fill:#E8F5E9,stroke:#388E3C,color:#000
    style R1 fill:none,stroke:none
    style R2 fill:none,stroke:none
  

Validation tools and procedures

Validation methodDescriptionApplies to
QSA assessmentOn-site assessment by a Qualified Security AssessorLevel 1 merchants/service providers
ROCReport on Compliance — prepared by the QSARequired for Level 1
AOCAttestation of ComplianceRequired for all levels
SAQSelf-Assessment Questionnaire — types A, B, C, D, etc.Levels 2–4
ASV scanExternal vulnerability scan by an Approved Scanning VendorRequired quarterly
Penetration testInternal/external network penetration testing at least once a yearLevels 1–2

3. Expected benefits and practical application of PCI-DSS compliance

CategoryKey expected benefitPractical application
Card data protectionMinimizes the risk of payment data breach and tamperingApply tokenization/encryption to minimize storage and protect sensitive data
Contract retentionMaintains card-brand merchant status and reduces processing costsAnnual re-certification maintains merchant status and preferential fee rates
Improved security postureThe 12 requirements serve as an organization-wide security baselineIntegrate with ISO 27001/ISMS-P for synergy
Expanding digital paymentsEstablishes a trust foundation for simple payments, BNPL, and fintech servicesSafely launch new payment services within a PCI-DSS-compliant environment