Glossary · Frameworks & standards

What is PCI DSS?

Also known as: Payment Card Industry Data Security Standard, PCI, PCI DSS v4.0

PCI DSS is the Payment Card Industry Data Security Standard, a set of security requirements that any organization storing, processing, or transmitting payment card data must meet. Maintained by the PCI Security Standards Council, its current major version is v4.0. Validation ranges from a self-assessment questionnaire to a full on-site audit by a Qualified Security Assessor.

Key takeaways

  • PCI DSS applies to anyone handling cardholder data, mandated by the card brands.
  • The current major version is v4.0, which adds flexibility through a customized approach.
  • Validation depth depends on merchant or service-provider level and transaction volume.
  • Built around 12 core requirements grouped into control objectives.
  • Scope reduction - through segmentation or tokenization - is the key to manageable compliance.

What does PCI DSS require?

PCI DSS is organized around twelve requirements covering areas such as firewalls and network segmentation, protecting stored cardholder data, encryption in transit, vulnerability management, strong access control, monitoring and testing of networks, and maintaining a security policy.

Several requirements demand active offensive validation, including regular vulnerability scanning and penetration testing of in-scope systems.

What changed in PCI DSS v4.0?

Version 4.0 modernized the standard while preserving the twelve core requirements. It introduced a customized approach that lets mature organizations meet the intent of a requirement using alternative controls validated by an assessor, alongside the traditional defined approach.

It also strengthened authentication expectations, expanded the use of multi-factor authentication, increased the rigor around scripts on payment pages, and emphasized that security should be treated as a continuous process rather than a point-in-time event.

How is compliance validated?

Validation depends on the organization's level, which is driven by transaction volume and role as a merchant or service provider. Smaller merchants may complete a Self-Assessment Questionnaire (SAQ), while larger entities undergo an annual assessment by a Qualified Security Assessor (QSA) resulting in a Report on Compliance, plus quarterly scans by an Approved Scanning Vendor.

The single biggest lever is scope. Network segmentation and tokenization keep cardholder data out of as many systems as possible. CATAAM supports this by pairing PCI controls with attack surface management and breach and attack simulation to continuously confirm that in-scope boundaries hold and required testing is current.

Frequently asked questions

What is the current version of PCI DSS?
The current major version is PCI DSS v4.0, which replaced v3.2.1 and introduced the customized approach alongside the traditional defined approach.
Who has to comply with PCI DSS?
Any organization that stores, processes, or transmits payment card data must comply. The validation effort scales with your merchant or service-provider level and transaction volume.
Does PCI DSS require penetration testing?
Yes. PCI DSS requires regular external and internal penetration testing of in-scope systems, as well as quarterly vulnerability scans, with additional testing after significant changes.
What is the difference between a SAQ and a Report on Compliance?
A Self-Assessment Questionnaire is a self-attestation available to lower-volume entities, while a Report on Compliance is produced by a Qualified Security Assessor during a formal on-site assessment for higher levels.

Authoritative sources

← Back to the glossary