All Regulations
🌐Global

PCI DSS

Payment Card Industry Data Security Standard

A global security standard for all entities that store, process, or transmit cardholder data from major payment card brands.

Overview

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements for all organisations that store, process, or transmit payment card data. First published in 2004 through a collaborative effort by American Express, Discover, JCB, Mastercard, and Visa, PCI DSS is maintained by the PCI Security Standards Council. Version 4.0, released in March 2022 and fully effective March 31, 2024, represents the most significant update in over a decade, introducing a customised approach option and stronger authentication requirements.

Unlike statutory privacy laws, PCI DSS is enforced contractually through the card brand rules and acquiring bank agreements rather than by a government regulator. Non-compliance can result in fines from card brands, mandatory forensic investigations, increased transaction fees, and ultimately loss of the ability to accept card payments. A breach of cardholder data in a non-compliant environment typically triggers an immediate forensic investigation at the merchant's expense and potential liability for fraudulent charges.

PCI DSS v4.0 introduced a 'customised approach' alongside the traditional 'defined approach', allowing organisations to achieve security outcomes through their own controls rather than prescriptive requirements, subject to validation by a Qualified Security Assessor (QSA). v4.0 also strengthened requirements for e-commerce script security (addressing Magecart-style attacks), multi-factor authentication, and targeted risk analysis, reflecting the evolving threat landscape.

Scope & Applicability

PCI DSS applies to all entities involved in payment card processing — merchants, processors, acquirers, issuers, and service providers — that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD). The cardholder data environment (CDE) is the people, processes, and technology that store, process, or transmit CHD or SAD, or that are connected to or could impact its security. Organisations that outsource all payment card processing to PCI DSS-compliant third parties and do not store, process, or transmit CHD may have a reduced scope through network segmentation.

Key Principles

  1. 1
    Build and Maintain a Secure Networkinstall and maintain network security controls, and apply secure configurations to all system components
  2. 2
    Protect Account Dataprotect stored account data and protect cardholder data with strong cryptography during transmission
  3. 3
    Maintain a Vulnerability Management Programmeprotect all systems against malware and maintain secure systems and software
  4. 4
    Implement Strong Access Controlrestrict access to system components and cardholder data by business need to know
  5. 5
    Regularly Monitor and Test Networkslog and monitor all access to system components and cardholder data; test security of systems and networks regularly
  6. 6
    Maintain an Information Security Policysupport information security with organisational policies and programmes

Data Subject Rights

Cardholder Data Protection

While PCI DSS is not a privacy rights law, cardholders benefit from requirements that organisations securely store only the minimum necessary card data and protect it with encryption.

Breach Notification

Card brands require prompt notification of suspected or confirmed breaches involving cardholder data, which typically triggers notifications to affected cardholders under applicable state breach notification laws.

Secure Disposal

PCI DSS requires that cardholder data no longer needed for business or legal reasons be rendered unrecoverable through secure disposal methods.

Business Obligations

Annual Compliance Assessment

Merchants and service providers must conduct annual PCI DSS compliance assessments — a Report on Compliance (ROC) by a QSA for Level 1 entities, or a Self-Assessment Questionnaire (SAQ) for lower-volume entities.

Quarterly Vulnerability Scanning

All external-facing IP addresses and domains in the CDE must be scanned quarterly by an Approved Scanning Vendor (ASV), with all high and critical vulnerabilities remediated.

Penetration Testing

Annual penetration testing (internal and external) of the CDE must be conducted by a qualified penetration tester, with critical vulnerabilities remediated before the next test.

Cardholder Data Environment Segmentation

Network segmentation must isolate the CDE from other network segments to reduce the scope of PCI DSS and limit the potential blast radius of a compromise.

Multi-Factor Authentication

MFA is required for all non-console administrative access to the CDE and for all remote access to the CDE network from outside the organisation's network.

Service Provider Management

All service providers with access to the CDE or that affect its security must be PCI DSS compliant, and their compliance must be monitored at least annually.

Cross-Border Transfer Rules

PCI DSS does not impose geographic data transfer restrictions. However, cardholder data stored or processed in any jurisdiction must meet PCI DSS requirements, and organisations must apply consistent security controls regardless of where their CDE components are located. When using cloud service providers or processors in other countries, those third parties must be PCI DSS compliant, and the organisation remains ultimately responsible for its own PCI DSS compliance scope.

Breach Notification Requirements

Notification Timeline

Immediately upon discovery — card brands require notification within 24 hours of a suspected or confirmed breach involving cardholder data

Notify Authority

Acquiring bank must be notified immediately; card brands (Visa, Mastercard, etc.) are notified by the acquirer. A PCI Forensic Investigator (PFI) must be engaged within 24 hours

Notify Individuals

Affected cardholders are typically notified under applicable state breach notification laws (timelines vary by state); card brands may require issuers to reissue affected cards

How TruePrivacy Helps

Purpose-built tools for every PCI DSS obligation.

Cardholder Data Discovery and Classification

TruePrivacy scans all repositories to identify cardholder data stored outside the intended CDE scope, enabling organisations to eliminate or secure out-of-scope card data before an assessment.

CDE Scope Management

Visual data flow mapping identifies all systems connected to the CDE, supporting network segmentation decisions and scope reduction strategies.

Third-Party PCI Compliance Tracking

Monitor the PCI DSS compliance status of all service providers with CDE access, tracking their annual AOC submissions and alerting when compliance lapses.

Incident Response and PFI Coordination

Pre-built incident response playbooks guide the immediate steps following a suspected card data breach, including PFI engagement and acquirer notification workflows.

Audit Evidence Collection

TruePrivacy automates the collection and organisation of evidence required for ROC and SAQ assessments, reducing QSA audit time and cost.

Ready to achieve PCI DSS compliance?

TruePrivacy automates your compliance workflows so your team can focus on what matters.

Start Free TrialBook a Demo