What is PCI DSS?

What is PCI DSS?

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to ensure that all organizations that accept, process, store, or transmit credit card information maintain a secure environment. It is managed by the PCI Security Standards Council (PCI SSC).

The 12 requirements

PCI DSS organizes controls into 12 high-level requirements:

1. Install and maintain network security controls
2. Apply secure configurations to all system components
3. Protect stored account data
4. Protect cardholder data with strong cryptography during transmission
5. Protect all systems and networks from malicious software
6. Develop and maintain secure systems and software
7. Restrict access to system components and cardholder data by business need to know
8. Identify users and authenticate access to system components
9. Restrict physical access to cardholder data
10. Log and monitor all access to system components and cardholder data
11. Test security of systems and networks regularly
12. Support information security with organizational policies and programs

Compliance levels

PCI DSS defines four merchant levels based on annual transaction volume:

PCI DSS 4.0

Version 4.0, released in March 2022, introduced significant changes:

• Customized approach — organizations can meet objectives with alternative controls if they can demonstrate equivalent security
• Targeted risk analysis — more flexibility in defining control frequencies based on risk
• Enhanced authentication — multi-factor authentication required for all access to the cardholder data environment
• Expanded scope — additional requirements for e-commerce, phishing protections, and automated log reviews

How episki helps with PCI DSS

episki maps controls to PCI DSS requirements, tracks evidence for QSA reviews, and connects cardholder data environment documentation to relevant controls. Learn more on our PCI DSS compliance page.