PCI DSS
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by major card brands that all organizations handling, processing, or storing credit card data must follow to protect cardholder information.
Definition
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements created by major card brands that all organizations handling, processing, or storing credit card data must follow to protect cardholder information.
Overview
Maintained by the PCI Security Standards Council — founded by Visa, Mastercard, American Express, Discover, and JCB — PCI DSS applies to any merchant, payment processor, or service provider that touches cardholder data, regardless of transaction volume, though the level of validation required (self-assessment questionnaire versus formal audit) scales with transaction volume. The standard is organized around six control objectives covering a secure network, cardholder data protection, vulnerability management, strong access control, regular monitoring and testing, and an information security policy — expressed as roughly 300 specific technical and operational requirements. Key requirements include encrypting cardholder data in transit and at rest, restricting access on a need-to-know basis, maintaining a firewall and network segmentation between cardholder data and other systems, regularly testing security systems (including penetration testing), and never storing sensitive authentication data like the CVV after authorization. Many organizations reduce their compliance scope significantly by using a third-party payment processor (tokenization) so raw card data never touches their own systems. Any team building e-commerce or payment features should understand PCI DSS scope early; the concepts overlap with topics in API Security around securely handling sensitive data.
Key Concepts
- Set by the PCI Security Standards Council, founded by major card brands
- Applies to any organization handling, processing, or storing cardholder data
- Six control objectives spanning network security to policy
- Requires encryption of cardholder data at rest and in transit
- Mandates network segmentation isolating cardholder data environments
- Validation level (self-assessment vs. formal audit) scales with transaction volume
- Tokenization via third-party processors can significantly reduce compliance scope