® 
PCI DSS
Definition
PCI DSS (Payment Card Industry Data Security Standard) is a global security standard for organizations that process, store, or transmit payment card data.
PCI DSS (Payment Card Industry Data Security Standard) is a global security standard for organisations that process, store or transmit payment card data. The standard is managed by the PCI Security Standards Council. PCI DSS 4.0, published March 2024, contains significant changes from version 3.2.1.
How does PCI DSS work?
PCI DSS contains 12 main requirements organised in six domains: build and maintain a secure network (firewalls, no defaults), protect cardholder data (encryption, limited storage), maintain a vulnerability management programme (antivirus, secure systems), implement strong access control (need-to-know, unique IDs, physical security), regularly monitor and test networks (logging, quarterly scans, annual pentest), and maintain an information security policy.
Compliance levels
Organisations are classified into four levels based on annual card transaction volume. Level 1 (over 6 million transactions) requires annual audit by a QSA. Levels 2-4 may complete a SAQ. All levels require quarterly ASV scans.
Impact on organisations
Non-compliance can result in card brand fines, higher transaction costs, loss of payment processing rights and liability for data breaches.
Protection
Segment networks to limit PCI DSS scope. Encrypt cardholder data at rest and in transit. Implement strict access control. Conduct regular vulnerability scans and annual pentests. Log and monitor all cardholder data access.
How DEFION helps
DEFION conducts PCI DSS pentests and vulnerability scans as part of the compliance programme.