The Payment Card Industry Data Security Standard (PCI-DSS) is a global information security standard developed by the PCI Security Standards Council (PCI SSC), founded by Visa, Mastercard, American Express, Discover, and JCB. The current version, PCI-DSS v4.0.1, was published in June 2024 and becomes mandatory from 31 March 2025.
PCI-DSS applies to every entity that stores, processes, or transmits cardholder data (CHD) or sensitive authentication data (SAD), including:
- Merchants — Any business that accepts payment cards (in-store, online, mail/telephone order)
- Service providers — Entities that process, store, or transmit cardholder data on behalf of another entity (payment gateways, hosting providers, managed security services)
- Processors / Acquirers — Financial institutions that process payment card transactions
- Issuers — Banks and financial institutions that issue payment cards to consumers
The 12 Requirements & 6 Goals
PCI-DSS organises its requirements into six overarching goals:
| Goal | Requirement | Description |
|---|---|---|
| Build & Maintain a Secure Network | 1 | Install and maintain network security controls |
| 2 | Apply secure configurations to all system components | |
| Protect Account Data | 3 | Protect stored account data |
| 4 | Protect cardholder data with strong cryptography during transmission | |
| Maintain a Vulnerability Management Program | 5 | Protect all systems and networks from malicious software |
| 6 | Develop and maintain secure systems and software | |
| Implement Strong Access Control Measures | 7 | Restrict access to system components and cardholder data by business need to know |
| 8 | Identify users and authenticate access to system components | |
| Regularly Monitor & Test Networks | 9 | Restrict physical access to cardholder data |
| 10 | Log and monitor all access to system components and cardholder data | |
| Maintain an Information Security Policy | 11 | Test security of systems and networks regularly |
| 12 | Support information security with organisational policies and programs |
Compliance Levels & Validation Methods
How you validate compliance depends on your transaction volume and risk profile:
| Method | Description |
|---|---|
| SAQ A | Card-not-present merchants that fully outsource cardholder data to PCI-compliant third parties |
| SAQ A-EP | E-commerce merchants that partially outsource payment processing but whose website impacts transaction security |
| SAQ B | Merchants using only imprint machines or standalone dial-out terminals (no electronic CHD storage) |
| SAQ C | Merchants with payment application systems connected to the internet but no electronic CHD storage |
| SAQ D | All other merchants and all service providers — the full self-assessment covering all 12 requirements |
| ROC | Report on Compliance — on-site assessment by a Qualified Security Assessor (QSA) for Level 1 merchants and service providers |
| AOC | Attestation of Compliance — formal declaration signed by the entity and/or QSA confirming compliance status |
Key Concepts
| CDE | Cardholder Data Environment — the people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data, including any connected system components |
| PAN | Primary Account Number — the unique payment card number (up to 19 digits) that identifies the card issuer and cardholder account. The PAN is the defining factor for PCI-DSS applicability |
| SAD | Sensitive Authentication Data — full track data, card verification codes (CVV2/CVC2), and PINs/PIN blocks. SAD must never be stored after authorisation |
| Tokenisation | Replacing the PAN with a surrogate value (token) that cannot be used to initiate a payment transaction. Tokenisation can reduce CDE scope |
| P2PE | Point-to-Point Encryption — encrypting cardholder data from the point of interaction (e.g., payment terminal) to the secure decryption environment. PCI-validated P2PE solutions can significantly reduce scope |
| ASV | Approved Scanning Vendor — a company approved by PCI SSC to conduct external vulnerability scans of internet-facing environments |
| QSA | Qualified Security Assessor — an individual certified by PCI SSC to perform on-site PCI-DSS assessments and produce a Report on Compliance |
Penalties for Non-Compliance
PCI-DSS compliance is enforced by payment card brands through acquiring banks. Non-compliance can result in:
- Monthly fines — $5,000 to $100,000 per month from card brands until compliance is achieved
- Increased transaction fees — Higher processing rates imposed by acquirers
- Liability for fraud losses — The non-compliant entity may be held liable for fraudulent transactions
- Card brand restrictions — Suspension or termination of the ability to accept payment cards
- Breach costs — Forensic investigation, card reissuance, notification, and regulatory penalties (average breach cost for payment card data exceeds $4 million)
How Venvera Helps
Venvera provides a centralised platform to manage all aspects of PCI-DSS compliance:
- Comprehensive dashboard showing compliance posture across all 12 requirements
- CDE inventory with encryption status, tokenisation tracking, and scope classification
- Network segmentation mapping with data flow documentation
- Safeguards management mapped to specific PCI-DSS requirements
- Vulnerability assessment tracking for ASV scans, penetration tests, and application scans
- Incident management with card brand notification tracking and PFI engagement
- Document management for SAQs, AOCs, ROCs, policies, and evidence
- Structured gap assessment with maturity scoring aligned to PCI-DSS v4.0.1
- Cross-framework mapping to ISO 27001, NIST CSF, SOC 2, and other enabled frameworks