Industry mandate
PCI DSS
Industry mandate

PCI DSS

All frameworks

What it is

The Payment Card Industry Data Security Standard, maintained by the PCI Security Standards Council. Mandatory for any organization that stores, processes, or transmits cardholder data.

Who uses it

Merchants, payment processors, service providers, and SaaS handling cardholder data (CHD).

Why it matters

Card brands can fine non-compliant organizations and revoke processing privileges. Scope reduction is the most valuable GRC skill here.

Structure

12 Requirements

Grouped into six goals: build a secure network, protect cardholder data, vulnerability management, strong access control, monitor and test networks, maintain a security policy.

CDE

Cardholder Data Environment — the people, processes, and tech that touch CHD. Smaller CDE = less audit effort.

SAQ vs RoC

Self-Assessment Questionnaire for smaller merchants; Report on Compliance from a QSA for Level 1.

Terminology

QSA
Qualified Security Assessor — auditor authorized by the PCI SSC.
PAN
Primary Account Number — the 16-digit card number; the most regulated data element.
Tokenization
Replacing PAN with a non-sensitive token; common scope-reduction technique.
ASV scan
External vulnerability scan by an Approved Scanning Vendor, required quarterly.

Beginner explanation

PCI DSS is a long checklist that protects credit card numbers. The smartest thing you can do is keep card data out of your systems entirely — that shrinks your audit dramatically.

Practical examples

  • A SaaS embeds Stripe Elements so PAN never touches its servers, reducing its SAQ from D to A.
  • A retail merchant segments its store network so the POS terminals are on a VLAN isolated from corporate Wi-Fi.

Advanced notes

PCI DSS v4.0 introduced customized approach, expanded MFA requirements, and targeted risk analyses. v3.2.1 was retired on March 31, 2024.