Plain-English reference material for businesses navigating PCI DSS compliance. No CISSP required to understand it.
PCI DSS assigns merchants to one of four levels based on annual card transaction volume. Your level determines what validation is required each year.
Your payment brand and acquirer determine your exact requirements.
Compliance isn't a one-time project. These are the recurring obligations most merchants need to maintain year over year.
PCI DSS v4.0 became the sole active version as of March 31, 2024. Key additions from v3.2.1 include:
PCI DSS is organized into 6 goals containing 12 requirements. Here's what each covers in plain English.
| Req. | Title | What It Covers |
|---|---|---|
| 1 | Install and maintain network security controls | Firewalls, network segmentation, and traffic control between cardholder and untrusted networks |
| 2 | Apply secure configurations to all system components | No vendor defaults, system hardening, configuration management |
| 3 | Protect stored account data | Minimizing data storage, masking PANs, encryption or hashing of stored card data |
| 4 | Protect cardholder data with strong cryptography during transmission | TLS configuration, preventing transmission over open/public networks without encryption |
| 5 | Protect all systems and networks from malicious software | Anti-malware, regular updates, covering all commonly affected system types |
| 6 | Develop and maintain secure systems and software | Patching, secure development, web application security, payment page script control |
| 7 | Restrict access to system components and cardholder data | Need-to-know access control, least privilege, documented access approvals |
| 8 | Identify users and authenticate access to system components | Unique user IDs, strong authentication, MFA for all CDE access |
| 9 | Restrict physical access to cardholder data | Physical controls over CDE, media handling, destruction of cardholder data |
| 10 | Log and monitor all access to system components and cardholder data | Audit logging, log protection, log review processes |
| 11 | Test security of systems and networks regularly | Vulnerability scans (internal + ASV), penetration testing, intrusion detection |
| 12 | Support information security with organizational policies and programs | Written security policies, risk assessments, vendor management, security awareness training |
A company approved by the PCI SSC to perform external vulnerability scans required under PCI DSS Requirement 11. External scans must be conducted by an ASV to be valid for compliance.
The people, processes, and technology that store, process, or transmit cardholder data, plus connected systems that could impact its security. Defining the CDE correctly is the foundation of PCI DSS compliance.
The 14–19 digit number on a payment card. Protecting stored, transmitted, and displayed PANs is a core focus of PCI DSS.
A company or individual certified by the PCI SSC to conduct formal PCI DSS assessments and produce official compliance documentation including Reports on Compliance (ROC). Required for Level 1 merchants and some Level 2.
The formal documentation produced by a QSA following a Level 1 merchant audit. Required by most major payment brands for the largest merchants.
The annual validation document used by most merchants and service providers who are not required to undergo a QSA audit. Multiple SAQ types exist, each applying to specific payment environments.
A document that accompanies the SAQ or ROC confirming that a business has met PCI DSS requirements. Submitted to your acquiring bank along with your SAQ.
An alternative security measure that satisfies the intent of a PCI DSS requirement when a business cannot implement the original requirement due to a documented technical or business constraint.
Looking for the official PCI DSS standard? All official PCI DSS documentation is published by the PCI Security Standards Council at pcisecuritystandards.org. Operatiqs resources are educational and support material — not a substitute for the official standard.
Ask it on the discovery call. That's what it's for.