The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. While specifically designed to focus on environments with payment card account data, PCI DSS can also be used to protect against threats and secure other elements in the payment ecosystem.
Table 1 shows the 12 principal PCI DSS requirements.
PCI Data Security Standard comprises a minimum set of requirements for protecting account data and may be enhanced by additional controls and practices to further mitigate risks, and to incorporate local, regional, and sector laws and regulations. Additionally, legislation or regulatory requirements may require specific protection of personal information or other data elements (for example, cardholder name).
Limitations
If any of the requirements contained in this standard conflict with country, state, or local laws, the country, state, or local law will apply.
PCI DSS Resources
The PCI Security Standards Council (PCI SSC) website (www.pcisecuritystandards.org) provides the following additional resources to assist organizations with their PCI DSS assessments and validations:
Document Library, including:
– PCI DSS Summary of Changes
– PCI DSS Quick Reference Guide
– Information Supplements and Guidelines
– Prioritized Approach for PCI Data Security Standard
– Report on Compliance (ROC) Reporting Template and Reporting Instructions
– Self-Assessment Questionnaires (SAQs) and SAQ Instructions and Guidelines
– Attestations of Compliance (AOCs)
Frequently Asked Questions (FAQs)
PCI for Small Merchants website
PCI training courses and informational webinars
List of Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs)
Lists of PCI approved devices, applications, and solutions
There are over 60 guidance documents and information supplements available on the PCI SSC website that provide specific guidance and considerations for PCI DSS. Examples include:
Guidance for PCI DSS Scoping and Network Segmentation
PCI SSC Cloud Computing Guidelines
Multi-Factor Authentication Guidance
Third-Party Security Assurance
Effective Daily Log Monitoring
Penetration Testing Guidance
Best Practices for Implementing a Security Awareness Program
Best Practices for Maintaining PCI DSS Compliance
PCI DSS for Large Organizations
Use of SSL/Early TLS and Impact on ASV Scans
Use of SSL/Early TLS for POS POI Terminal Connections
Tokenization Product Security Guidelines
Protecting Telephone-Based Payment Card Data
Refer to the Document Library at www.pcisecuritystandards.org for information about these and other resources.
In addition, refer to Appendix G for definitions of PCI DSS terms.
