What is PCI DSS (Payment Card Industry Data Security Standard)?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements developed and maintained by the PCI Security Standards Council, founded by major payment card brands including Visa, Mastercard, American Express, Discover, and JCB. PCI DSS applies to all organizations that store, process, or transmit cardholder data, regardless of size or transaction volume. The current version, PCI DSS v4.0, introduced significant updates to address emerging threats and technologies.

PCI DSS is organized around twelve requirements grouped into six goals: build and maintain a secure network and systems, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy. Compliance validation varies based on transaction volume, with larger merchants requiring external assessments by Qualified Security Assessors (QSAs) and smaller merchants eligible for self-assessment questionnaires.

While not a government regulation, PCI DSS compliance is contractually required by payment card brands and enforced through the merchant's acquiring bank. Non-compliance can result in fines, increased transaction fees, or loss of the ability to process payment cards. Organizations handling cardholder data can use DiscoverIQ to locate cardholder data across their environments and ProtectIQ to implement security controls that meet PCI DSS requirements.