PCI DSS
What it is
The Payment Card Industry Data Security Standard, maintained by the PCI Security Standards Council. Mandatory for any organization that stores, processes, or transmits cardholder data.
Who uses it
Merchants, payment processors, service providers, and SaaS handling cardholder data (CHD).
Why it matters
Card brands can fine non-compliant organizations and revoke processing privileges. Scope reduction is the most valuable GRC skill here.
Structure
Grouped into six goals: build a secure network, protect cardholder data, vulnerability management, strong access control, monitor and test networks, maintain a security policy.
Cardholder Data Environment — the people, processes, and tech that touch CHD. Smaller CDE = less audit effort.
Self-Assessment Questionnaire for smaller merchants; Report on Compliance from a QSA for Level 1.
Terminology
Beginner explanation
PCI DSS is a long checklist that protects credit card numbers. The smartest thing you can do is keep card data out of your systems entirely — that shrinks your audit dramatically.
Practical examples
- A SaaS embeds Stripe Elements so PAN never touches its servers, reducing its SAQ from D to A.
- A retail merchant segments its store network so the POS terminals are on a VLAN isolated from corporate Wi-Fi.
Advanced notes
PCI DSS v4.0 introduced customized approach, expanded MFA requirements, and targeted risk analyses. v3.2.1 was retired on March 31, 2024.