The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements to protect cardholder data—cardholders’ primary account numbers (PANs), names, expiration dates, service codes—and other sensitive cardholder information throughout its lifecycle.
The PCI DSS applies to any merchant, service provider or other organization that stores, processes or transmits cardholder data, and to any organization connected to systems that store, process or transmit cardholder data. (These systems are referred to as the cardholder data environment, or CDE.) The PCI DSS outlines detailed security controls, processes and testing that organizations should implement to protect cardholder data. These security measures cover a wide range of functional areas across the cardholder data environment including ecommerce transactions, point-of-sale systems, wireless hotspots, mobile devices, cloud computing and paper-based storage systems.
PCI DSS compliance requires annual reporting by merchants and service providers, and additional reporting following significant changes to the CDE. Validating compliance also involves continuous assessment of an organization’s security posture, and continuous remediation to address any gaps in security policy, technology or procedures.
Organizations and service providers may be assessed by a Qualified Security Assessor (QSA) who issues an Attestation of Compliance (AOC) upon completion of a successful assessment.
The first version of the PCI DSS was released in 2004 by payment card brands American Express, Discover, JCB International, MasterCard, and Visa, who collectively formed the Payment Card Industry Security Standards Council (PCI SSC) to manage the technical requirements of the standard. In 2020, the PCI SSC added the UnionPay bankcard association. The PCI DSS is periodically updated to address the latest cybersecurity threats to payment card data such as identity theft, fraud and data breaches.
Go under the hood to learn how PCI DSS compliance works on IBM Cloud.
IBM Cloud renews and expands PCI DSS compliance for virtual private cloud (VPC) offerings
IBM is a Level 1 Service Provider for PCI DSS, and clients can build PCI-DSS-compliant environments and applications using IBM Cloud.
Many IBM Cloud platform services have a PCI DSS Attestation of Compliance (AOC) issued by a Qualified Security Assessor (QSA).
Contact IBM to request a PCI DSS AOC for any service listed below
The most recent version of the PCI DSS (v4.0) was released in March 2022. It lists these 12 requirements for protecting cardholder data. Organizations must implement these requirements by 31 March 2025 to achieve compliance.
Network security controls (NSCs) may include firewalls, virtual devices, container systems, cloud security systems and other technologies that control access to systems and data.
Default passwords and other default system settings supplied by vendors should not be used as they are vulnerable to cyberattacks.
Unless it is required for business needs, organizations should not store cardholder data. If it is stored, it must be rendered unreadable through encryption, masking or other means.
To prevent hackers from accessing sensitive information such as card numbers and personally identifiable information (PII), data should be encrypted before and/or during public network transmissions.
Maintain anti-virus software and other defenses against malware such as spyware, keyloggers, ransomware, scripts and other viruses.
By applying the latest security patches and following secure practices when developing apps, organizations can help minimize the risk of data breaches.
Strong access control measures should ensure authorized users see only the cardholder information that is required to perform their jobs.
A unique ID with traceable authentication data should be assigned to every person with computer access to sensitive systems and data.
To prevent unauthorized persons from removing hardware or hard copies containing cardholder data, physical access to systems should be restricted.
The ability to automate logging and monitoring of sensitive systems and data can help detect suspicious activity and support forensic analysis following a breach.
Because cybercriminals continually seek new vulnerabilities in changing IT environments, penetration testing and vulnerability scans should be performed regularly.
Organizations should create a comprehensive information security policy that outlines procedures for identifying and managing risks, ongoing security awareness education, and compliance with the PCI DSS.
Organizations governed by the PCI DSS must document compliance every year. Larger organizations are required to submit a detailed Report on Compliance (ROC) and Attestation of Compliance (AOC). Both the ROC and AOC documents must be completed and signed by a Qualified Security Assessor (QSA) who has been certified by the PCI Standard Security Council. Small and mid-sized organizations can complete a Self-Assessment Questionnaire (SAQ) to validate compliance.
If an organization conducts transmission of cardholder data over the internet, it may also be required to implement vulnerability management to maintain a secure network. To achieve compliance, an Approved Scanning Vendor (ASV) that has been certified by the PCI SSC must perform a quarterly vulnerability scan to test network security.
The reporting requirements for the PCI DSS differ according to the number of transactions processed annually by an organization. There are four compliance levels.
More than 6 million payment card transactions annually. Must submit a Report on Compliance completed by a Qualified Security Assessor. Must have an Approved Scanning Vendor perform a quarterly network vulnerability scan.
One million to 6 million payment card transactions annually. Must complete a Self-Assessment Questionnaire and may have to perform quarterly network vulnerability scans.
20,000 to 1 million payment card transactions annually. Must complete a Self-Assessment Questionnaire and may have to perform quarterly network vulnerability scans.
Fewer than 20,000 annual card transactions. Must complete a Self-Assessment Questionnaire and may have to perform quarterly network vulnerability scans.
Although merchants and payment service providers are required to follow the PCI DSS, their compliance is not enforced by law, governments or even the PCI Security Standards Council. Instead, compliance is managed by credit card companies, such as Visa or MasterCard, and acquirers, which are banks or financial institutions that process card payments.
Once a year, organizations that process or store cardholder data must validate their adherence to the PCI DSS. If an organization outsources its payment processing, it still must affirm that credit card transactions are protected under the requirements of the PCI DSS standard.
Fines for PCI DSS non-compliance are set by the payment card brands, and negotiated between the brands, the merchant or service provider, and impacted banks or other financial institutions. The payment card brands do not publish fine or fee schedules, and typically do not make penalty information available to the public.
As a rule of thumb, fines for non-compliance can range from 5,000 to 10,000 USD during the first three months of non-compliance, to 50,000 to 100,000 USD per month after six months of non-compliance. In the event of a data breach, non-compliant merchants or service providers may be fined an additional 50 to 90 USD per customer up to a maximum of 500,000 USD.
Payment card brands can assess much higher fines at their discretion, and the final negotiated penalty for an organization’s PCI DSS non-compliance—particularly non-compliance that leads to a data breach—can surge to millions or hundreds of millions of dollars to cover the cost of investigations, government claims, class-action lawsuits and more.
In addition to incurring fines, non-compliant organizations may be prohibited from processing payment card transactions.
The consequences of a data breach involving cardholder data are severe. In addition to fines, legal penalties and reputational damage, organizations may suffer the loss of both current and potential customers. The requirements of PCI DSS help defend against the theft of sensitive data.
Because fraud and identity theft are frequently in the headlines, consumers may be reluctant to provide retailers with sensitive credit card information. PCI DSS compliance helps customers trust that their data is protected, allowing them to be more confident when making purchases.
Although PCI DSS is not a legal mandate, the security controls it puts into place can help organizations achieve compliance with government regulations. Portions of the PCI DSS are complementary to data protection laws such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Sarbanes Oxley Act (SOX), and the General Data Protection Regulation (GDPR).
Adapt to a changing threat environment with complete visibility, simplified compliance and protection throughout the data security lifecycle.
Build scalable infrastructure at a lower cost, deploy new applications instantly, and scale up mission-critical and sensitive workloads based on demand—all within a security-rich platform.
Be better prepared for breaches by understanding their causes and the factors that increase or reduce costs. Learn from the experiences of more than 550 organizations that were hit by a data breach.
PII is any information that can be used to uncover that individual's identity, such as their social security number, full name, or email address.
Network security is the field of cybersecurity focused on protecting computer networks from cyber threats.