PCI DSS
The Ultimate Guide to

Payment Card Industry Data Security Standard (PCI DSS)

What is PCI DSS?

PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to help all organizations who handle credit card transactions maintain a secure environment. The standard was developed by the PCI Security Standards Council, an independent body founded by major card brands including Visa, MasterCard, and Discover.

Protecting Cardholder Data

According to the Federal Trade Commission, credit card fraud continues to be one of the fastest forms of identity theft. In 2024, the FTC received over 449,000 reports, an increase of 8% from the 416,000 reports in 2023. To put this in perspective, 62 million Americans reported fraudulent charges on their credit cards or debit cards. These purchases were in excess of $6.2 billion.

Consumers today are aware of the risks when they share their cardholder information with businesses, and they’re wary of transacting with businesses that don’t take information security seriously. By implementing the Payment Card Industry Data Security Standard—a baseline of technical and operational requirements designed to protect cardholders data, you can shield your organization from embarrassing data breaches, loss of sensitive cardholder information, and loss of consumer trust. Becoming compliant with the data security standard established by the Payment Card Industry Security Standards Council is essential today to your company’s long-term success.

PCI DSS Requirements

The latest version of the standard (v 4.0.1), published in June of 2024, contains 12 broad requirements across 6 areas:

PCI Data Security Standards — High-Level Overview

source: PCI Security Standards Council

Build and Maintain a Secure Network and System
  • Install and maintain network security controls
  • Apply secure configurations to all system components
Protect Cardholder Data
  • Protect stored account data
  • Protect cardholder data with strong cryptography during transmission over open, public networks
Maintain a Vulnerability Management Program
  • Protect all systems and networks from malicious software
  • Develop and maintain secure systems and software
Implement Strong Access Control Measures
  • Restrict access to system components and cardholder data on a need-to-know basis
  • Identify and authenticate access to system components
  • Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  • Log and monitor all access to system components and cardholder data
  • Test the security of systems and networks regularly
Maintain an Information Security Policy
  • Support information security with organizational policies and programs

Did you know that Hyperproof’s compliance operations platform is designed to help you meet PCI DSS 4.0.1 requirements in the most efficient way possible?

Demo Now

What are common control failures?

The most common failures occur when the PCI DSS controls are exploited because they aren’t put in place or they have been poorly implemented. Threat actors take advantage of an organization’s improper storage of sensitive authentication data (SAD) when it should not be stored after authorization, inadequately coded web applications, or a lack of logging and monitoring controls. In addition, poor scoping decisions can commonly result in a breach in cardholder data through a weakness in the network not adhering to the standard.

How does PCI DSS fit into your overall compliance program?

While PCI DSS is more specific to cardholder data protection, the controls needed to safeguard the program are similar to those used by other infosecurity standards and certifications. For example, access control and employee training are common controls that overlap across frameworks. This means that if you already adhere to another information security framework (e.g., ISO 27001, NIST CSF, SOC 2 Type 2), you may already have done a lot of the work needed for PCI DSS compliance.

GuIDE
The Compliance Operations Methodology

Manage IT risks in a disciplined, proactive manner and efficiently prove to customers that you can keep sensitive data safe.

Read More

If you’ve already implemented an information security framework in the Hyperproof platform and you’re looking to meet PCI requirements, the Hyperproof platform will recommend which existing controls you can leverage to fulfill PCI requirements, making it significantly easier and faster to complete the standard. Conversely, the controls you implemented for PCI DSS can be reused to meet the requirements of other information security standards and frameworks.

Note that PCI DSS does not supersede local or regional laws, government regulations, or other legal requirements.

What is the process to become PCI DSS compliant?

There are three main stages to becoming compliant with the standard.

1. Assess

Identify cardholder data and record all information technology assets and business processes for processing the card payments. Analyze the assets and processes for vulnerabilities.

2. Remediate

Fix any vulnerabilities you found in step one and permanently eliminate cardholder data, unless keeping it is absolutely essential.

3. Report

Validation of PCI DSS compliance is determined by payment card network requirements, which may involve Self-Assessment Questionnaires or assessments by third-party Qualified Security Assessors, depending on factors such as annual transaction volumes.

Get in-depth information on the steps to PCI DSS Compliance with our guide

Which PCI DSS compliance validation level is right for me?

There are multiple compliance validation levels for PCI DSS, and the compliance validation level you must adhere to is determined by the individual payment brands you work with. Payment brands and acquirers determine specific compliance validation requirements, which may include self-assessments and network scans by approved scanning vendors.

General Tips and Strategies for Implementing PCI DSS

Below are some general tips for starting your PCI DSS compliance effort. These tips are designed to help you limit risks, limit the scope of your compliance effort, and keep costs contained.

Limit the cardholder data you store

The best step you can take to protect cardholder data is to not store any cardholder data you do not need, and to isolate the data you do need to well-defined and controlled central locations.

Never store sensitive authentication data after authorization

Sensitive authentication data includes the full track contents of the magnetic stripe or equivalent data on a chip, card verification codes and values, PINs, and PIN blocks. This data should NEVER be stored after authorization.

Ask your POS vendor about the security of your system

If your business uses POS in retail locations, you need to ensure that your POS vendor has sufficient security measures. For instance, ask them whether default settings and passwords have been changed on systems and databases that are part of your POS system. Ask them whether your POS software is storing sensitive authentication data, such as track data or PIN blocks (this is prohibited), and if “yes”, how quickly they can delete this data.

Isolate cardholder data and consolidate it

You can limit the scope of a PCI DSS assessment by consolidating data storage in a defined environment and isolating the data through the use of proper network segmentation. For instance, by making sure that the cardholder data is stored on its own network segment, rather than the same network segment your employees use to receive emails and browse the internet, you can put PCI DSS controls on a portion of your network instead of the entire network.

Compensating controls

If your organization cannot meet a specific PCI DSS requirement due to legitimate and documented technical or business constraints, compensating controls may be considered as alternative security measures. These controls must meet six specific criteria, including meeting the intent and rigor of the original requirement, providing a similar level of defense, and being above and beyond other PCI DSS requirements. They must be documented using the Compensating Controls Worksheet and validated by assessors annually.

Maintain PCI DSS controls over time

It’s not enough to set up the security controls just to pass a one-time assessment. To effectively secure these systems and payment data, your organization should continuously monitor and enforce the use of controls specified in the PCI Data Security Standard (more on this below).

A few additional tips for tackling common security concerns from the PCI Security Standards Council

  • Buy and use only approved PIN entry devices at your points-of-sale.
  • Buy and use only validated payment software at your POS or website shopping cart.
  • Use a firewall on your network and PCs.
  • Make sure your wireless router is password-protected and uses encryption.
  • Use strong passwords. Be sure to change default passwords on hardware and software – most are unsafe.
  • Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
  • Teach your employees about security and protecting cardholder data.

PCI DSS: Frequently Asked Questions

PCI DSS compliance is categorized into four levels, determined by the number of card transactions a business processes annually and the potential risk they pose.

  1. Level 1: Merchants processing over 6 million card transactions annually, or any merchant that has experienced a data breach or is considered high risk. Level 1 merchants must complete an annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA), complete an Attestation of Compliance (AoC), and conduct a quarterly network scan by an Approved Scanning Vendor (ASV).
  2. Level 2: Merchants processing between 1 million and 6 million card transactions per year. They must complete an annual Self-Assessment Questionnaire (SAQ), an AoC, and conduct a quarterly network scan by an ASV.
  3. Level 3: Merchants processing more than 20,000 but less than 1 million transactions annually. They are required to complete an annual SAQ, an AoC and conduct quarterly network scans by an ASV.
  4. Level 4: Merchants processing fewer than 20,000 card e-commerce transactions annually or up to 1 million card transactions annually. Level 4 merchants must complete an annual SAQ and must complete an SAQ and undergo penetration testing and ASV scanning.

Yes, PCI DSS (Payment Card Industry Data Security Standard) is a cybersecurity framework specifically designed to protect cardholder data. It provides a comprehensive set of security standards and guidelines to help businesses that handle credit cards ensure the security of card information and prevent data breaches and fraud.

The six principles of PCI DSS, often referred to as the “control objectives,” are as follows:

  1. Build and maintain a secure network and systems
  2. Protect cardholder data
  3. Maintain a vulnerability management program
  4. Implement strong access control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy

PCI DSS applies to any organization that accepts, processes, stores, or transmits credit card information. This includes merchants of all sizes, financial institutions, payment processors, and service providers. Essentially, any entity involved in payment card transactions must adhere to PCI DSS requirements to ensure the security of cardholder data.

PCI DSS has 12 main requirements under 6 principles:

Build and maintain a secure network and systems
  1. Install and maintain network security controls
  2. Apply secure configurations to all system components
Protect account data
  1. Protect stored account data
  2. Protect cardholder data with strong cryptography during transmission over open, public networks
Maintain a vulnerability management program
  1. Protect all systems and networks from malicious software 
  2. Develop and maintain secure systems and software
Implement strong access control measures 
  1. Restrict access to system components and cardholder data by business need-to-know
  2. Identify and authenticate access to system components
  3. Restrict physical access to cardholder data
Regularly monitor and test networks
  1. Log and monitor all access to system components and cardholder data
  2. Test the security of systems and networks regularly
Maintain an information security policy
  1. Support information security with organizational policies and programs

Read more about PCI DSS requirements

The time it takes to become PCI DSS compliant varies based on the size and complexity of the organization, the level of existing security measures, and the specific requirements of PCI DSS that need to be met. For smaller businesses, the process may take a few weeks to a few months. Larger organizations with more complex systems may require several months or even a year to fully comply with PCI DSS standards, depending on their initial security posture and the extent of changes needed to meet compliance requirements..

Non-compliance with PCI DSS can have severe consequences, including:

  • Fines and penalties: Payment card brands may impose fines ranging from $5,000 to $100,000 per month for non-compliance.
  • Increased transaction fees: Non-compliant businesses may face higher transaction fees or may lose their ability to process credit card transactions altogether.
  • Liability for data breaches: Non-compliant organizations may be held financially responsible for breaches, including costs related to fraud losses, reissuing cards, and forensic investigations
  • Reputation damage: Data breaches can significantly damage a company’s reputation, leading to loss of customer trust and potential business.

PCI DSS compliance must be validated annually. The validation process depends on the level of compliance required:

  • Level 1: Annual on-site assessment by a QSA and quarterly network scans by an ASV.
  • Levels 2, 3, and 4: Annual SAQ and quarterly network scans by an ASV. Some Level 2 merchants may opt for an on-site assessment instead of an SAQ.

A Self-Assessment Questionnaire (SAQ) is a validation tool for merchants and service providers to assess their PCI DSS compliance. The SAQ includes a series of yes-or-no questions based on the PCI DSS requirements. There are different SAQ types tailored to various business environments, such as SAQ A for card-not-present merchants (e-commerce or mail/telephone-order) who completely outsource all account data functions and SAQ D for service providers.

To prepare for a PCI DSS audit, follow these six steps:

  1. Understand PCI DSS requirements: Familiarize yourself with all 12 PCI DSS requirements and their sub-requirements.
  2. Conduct a gap analysis: Identify areas where your organization does not meet PCI DSS standards and create a remediation plan.
  3. Implement security measures: Ensure all necessary security controls are in place, including firewalls, encryption, access controls, and regular monitoring.
  4. Document policies and procedures: Maintain comprehensive documentation of your security policies, procedures, and practices.
  5. Train employees: Educate employees on PCI DSS requirements and best practices for handling cardholder data.
  6. Engage a Qualified Security Assessor (QSA): For Level 1 compliance, hire a QSA to conduct an on-site assessment and provide guidance throughout the process. For other levels, follow the appropriate PCI DSS Self-Assessment Questionnaire (SAQ) and validation requirements.

Learn more about preparing for a PCI audit

PCI DSS maps to the following frameworks:

Hyperproof for PCI DSS Compliance

Hyperproof’s compliance operations software solution helps organizations understand the requirements of PCI Data Security Standard, create tailored controls for their business, streamline and automate the evidence management process and monitor their security controls to ensure ongoing effectiveness. Plus, our PCI DSS framework template will get you up and running quickly.

PCI DSS

A pre-built template to help you implement controls quickly and correctly

Automated and efficient evidence collection tools to document your efforts toward PCI DSS compliance

Frictionless collaboration between compliance teams and their auditor

The ability to reuse evidence across multiple frameworks and controls

Control assignments to program participants so you can keep team members on track

Dashboards to gauge progress, monitor controls, and view audit preparedness posture

Hyperproof also partners with professional service firms with proven track records and deep expertise in helping organizations get PCI DSS assessment-ready. Our partners help customers design their information security compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader