PCI-DSS
PCI-DSS
Payment Card Industry Data Security Standard
1. Overview: PCI-DSS, the international security standard every company handling card payment data must comply with
flowchart LR
A["Threats of card payment<br/>data breach and tampering —<br/>insecure environments"] --"Comply with 6 goals<br/>and 12 requirements"--> B["Build an environment that<br/>protects card data"] --"Level-based certification,<br/>periodic validation"--> C["Trust established<br/>across the payment ecosystem"]
style A fill:#FFEBEE,stroke:#D32F2F,color:#000
style B fill:#E3F2FD,stroke:#1976D2,color:#000
style C fill:#E8F5E9,stroke:#388E3C,color:#000
Definition: An international security standard established by the PCI SSC (Payment Card Industry Security Standards Council), jointly founded by card brands such as Visa, Mastercard, and AmEx. It defines a framework of 6 goals and 12 security requirements that every organization handling, storing, or transmitting Cardholder Data (CHD) must comply with.
Characteristics: (Contractual obligation) Not a statutory requirement but a contractual obligation — non-compliance can result in termination of the card-brand agreement and fines. (Level 1–4 classification) Classified into Level 1–4 based on transaction volume, with different validation methods (QSA vs. SAQ). (v4.0 strengthening) PCI-DSS v4.0, published in 2022, emphasizes a goal-based approach, stronger multi-factor authentication, and a continuous security culture.
2. PCI-DSS’s core structure
A. The 6 goals and 12 requirements
flowchart TD
subgraph G1["Goal 1. Build and maintain a secure network"]
direction LR
R1["Req 1. Install and maintain firewalls"]
R2["Req 2. Change vendor defaults"]
end
subgraph G2["Goal 2. Protect cardholder data"]
direction LR
R3["Req 3. Protect stored data"]
R4["Req 4. Encrypt data in transit"]
end
subgraph G3["Goal 3. Vulnerability management program"]
direction LR
R5["Req 5. Protect against malicious software"]
R6["Req 6. Develop and maintain secure systems"]
end
subgraph G4["Goal 4. Strong access control"]
direction LR
R7["Req 7. Restrict access on a need-to-know basis"]
R8["Req 8. Manage system access authentication"]
R9["Req 9. Restrict physical access to card data"]
end
subgraph G5["Goal 5. Monitoring and testing"]
direction LR
R10["Req 10. Track and monitor access logs"]
R11["Req 11. Regularly test security systems and processes"]
end
subgraph G6["Goal 6. Maintain an information security policy"]
R12["Req 12. Establish and maintain a security policy"]
end
style G1 fill:#E3F2FD,stroke:#1976D2,color:#1E3A5F
style G2 fill:#F3E5F5,stroke:#7B1FA2,color:#4A148C
style G3 fill:#FFF3E0,stroke:#F57C00,color:#E65100
style G4 fill:#FFEBEE,stroke:#D32F2F,color:#B71C1C
style G5 fill:#E8F5E9,stroke:#388E3C,color:#1B5E20
style G6 fill:#E0F2F1,stroke:#00796B,color:#004D40
Key cardholder-data-protection requirements
| Requirement | Core control | Key implementation method |
|---|---|---|
| Req 3. Protect stored data | Prohibit storing sensitive authentication data (SAD); mask/encrypt PAN | Tokenization, AES-256 encryption |
| Req 4. Encrypt transmission | Apply strong encryption when transmitting over public networks | Use TLS 1.2+; prohibit SSL and early TLS |
| Req 7. Restrict access | Apply least privilege on a need-to-know basis | RBAC, separation of duties (SoD) |
| Req 8. Manage authentication | Unique ID per individual, apply MFA | Multi-factor authentication (MFA), strengthened password policy |
| Req 10. Log monitoring | Collect and retain logs of all card-data access | SIEM integration, retain logs for at least 1 year |
| Req 11. Vulnerability testing | Regular penetration testing and vulnerability scanning | Quarterly ASV scans, annual penetration test |
B. Compliance levels and validation procedures
flowchart TD
subgraph R1[" "]
direction LR
L1["Level 1<br/>6M+ transactions/year<br/>On-site QSA assessment<br/>Submit ROC and AOC"]
L2["Level 2<br/>1M–6M transactions/year<br/>SAQ self-assessment<br/>Quarterly ASV scans"]
end
subgraph R2[" "]
direction LR
L3["Level 3<br/>20K–1M transactions/year<br/>SAQ self-assessment<br/>Quarterly ASV scans"]
L4["Level 4<br/>Under 20K transactions/year<br/>SAQ self-assessment<br/>Recommended-level scanning"]
end
style L1 fill:#FFEBEE,stroke:#D32F2F,color:#000
style L2 fill:#FFF3E0,stroke:#F57C00,color:#000
style L3 fill:#E3F2FD,stroke:#1976D2,color:#000
style L4 fill:#E8F5E9,stroke:#388E3C,color:#000
style R1 fill:none,stroke:none
style R2 fill:none,stroke:none
Validation tools and procedures
| Validation method | Description | Applies to |
|---|---|---|
| QSA assessment | On-site assessment by a Qualified Security Assessor | Level 1 merchants/service providers |
| ROC | Report on Compliance — prepared by the QSA | Required for Level 1 |
| AOC | Attestation of Compliance | Required for all levels |
| SAQ | Self-Assessment Questionnaire — types A, B, C, D, etc. | Levels 2–4 |
| ASV scan | External vulnerability scan by an Approved Scanning Vendor | Required quarterly |
| Penetration test | Internal/external network penetration testing at least once a year | Levels 1–2 |
3. Expected benefits and practical application of PCI-DSS compliance
| Category | Key expected benefit | Practical application |
|---|---|---|
| Card data protection | Minimizes the risk of payment data breach and tampering | Apply tokenization/encryption to minimize storage and protect sensitive data |
| Contract retention | Maintains card-brand merchant status and reduces processing costs | Annual re-certification maintains merchant status and preferential fee rates |
| Improved security posture | The 12 requirements serve as an organization-wide security baseline | Integrate with ISO 27001/ISMS-P for synergy |
| Expanding digital payments | Establishes a trust foundation for simple payments, BNPL, and fintech services | Safely launch new payment services within a PCI-DSS-compliant environment |