An information security standard for organizations that regulates the special protection of credit card data. The PCI DSS applies to all businesses that process, store and/or transmit credit card data.

Founded in 2004 by the credit card institutes American Express, Discover Financial Services, JCB International, Mastercard and Visa Inc. The council creates and manages PCI standards on behalf of the credit card organizations. The PCI SSC acts completely independent from its founding members.

• Evaluates compliance of individual requirements within the company
• Ensures compliance of requirements
• Knowledgeable contacts for all questions regarding PCI DSS
• Responsible for providing appropriate documents during the audit

• PCI Security Standards Council accredited company
• Qualified to perform assessments
• Handling of assessments by an accredited QSA consultant

Entitled to conduct on-site assessments for level 1 Visa- and Mastercard merchants. Filling out SAQ for level 2 Mastercard merchants. Kind of an internal compliance officer.

PCI Security Standards Council accredited companies. They are responsible for installation and maintenance of payment applications or terminals.

Company approved by the PCI SSC to conduct external vulnerability scanning services.

Security standard for payment applications.

Security standard for point-to-point encryption. The Point-to-Point Encryption Standard defines both security requirements and testing procedures for Point-to-Point Encryption (P2PE) solutions and in most cases hardened POS terminals.

PCI Point-to-Point Encryption (P2PE) Assessor who can perform validation of Point-to-Point Encryption solutions and applications against the latest standard in order for those solutions and applications to be listed on the PCI Council website.

PIN Transaction Security standard. Security standard for POS terminals.

Security standard for credit card transactions using 3-D Secure authentication of end users when shopping through e-commerce channels.

PCI DSS Standard in the version 3.2.1.

Valid until 31 March 2024.

PCI DSS Standard in the version 4.0.

Valid since 22 March 2022.

Reporting tool used to document self-assessment results from an entity’s PCI DSS assessment.

• Different types of questionnaires for merchants
• Service providers must always complete SAQ D

Credit card data consists of:

• Primary account number
• Cardholder name
• Expiration date

• Card Validation Codes/values (CVV, CVC, CSC, CCV)
• PIN/PUK validation code
• Full chip/magnetic stripe data

Companies that accept credit card payments as a means of payment for goods or services.

Companies that accept credit card payments as a means of payment for goods or services.

Merchant Banks, often enabling merchants to accept credit card data from multiple brands.

Card-issuing Bank. Issues a credit card to customers (cardholder).

Payments over the internet.

Payment on site (Face-2-Face).

Acceptance of credit card data for payment via telephone, fax, letter, etc.

Categorization of merchants and service providers in different levels.

Categorization depends on number of processed transactions and accepted credit cards.

• Quarterly, automated execution
• (Internal + external scans)
• For external scans (see ASV scans)
• Identification of security risks in systems, services and devices accessible from the internal network and the internet

• Annual extensive manual security assessment
• Testing of internet-accessible systems, internal systems as well as external and internal applications

A company is compliant according to PCI DSS if it fulfils all relevant requirements. A company can exclude non-applicable requirements, for example if no WLAN is used for the transfer of cardholder data.

In case of a data compromise, a company might be exempted from fines under the following circumstances:

• Valid PCI DSS certification at the time of the compromise
• Proven compliance with the requirements of the PCI DSS

The PCI DSS Scope consists of the cardholder data environment (CDE):

• Locations
• Persons
• Applications
• IT-Systems

The CDE includes all of the above including personnel which receive, store and/or process credit card data.

Network segmentation isolates system components that store, process, or transmit cardholder data from systems that do not.

Reduces the PCI DSS Scope but is not a requirement of PCI DSS.

E-Commerce: Payment over the internet

• SAQ A (iFrame, URL Redirect)
• SAQ A-EP (Direct POST)
• SAQ D-Mer (API-Process)

MOTO: Mail order/telephone order

Acceptance of credit card data for payment via telephone, fax, letter, etc.

• SAQ A
• SAQ C
• SAQ C-VT
• SAQ D-Mer

POS: Payment on site (Face-2-Face)

• SAQ B (imprint/phone line)
• SAQ B-IP (IP connection & PTS certification)
• SAQ C (payment application with internet connection)

POS: Payment on site (Face-2-Face)

• SAQ B (imprint/phone line)
• SAQ B-IP (IP connection & PTS certification)
• SAQ C (payment application with internet connection)
• SAQ P2PE (P2PE devices)
• SAQ D-Mer

PCI-listed Point-to-Point Encryption (P2PE) Solution. By using a P2PE Solution the network infrastructure of the user is not a part of the PCI DSS scope anymore.

Also referred to as (POS-Terminal). Device used for accepting payments of customers.

Captures and calculates outstanding total and prints out check-out receipts. Does not perform card payments.

Is a combination of payment terminal and electronic check-out. It fulfils the following tasks:

• Handling of payments
• Captures and calculates outstanding total
• Prints out check-out receipts

A virtual payment terminal is web-browser-based access to an acquirer, processor or third-party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card.

• Formal confirmation of compliance in addition to the audit report
• Relief of the auditor

• Summarized results of audit by QSA
• Approval by acquirer and / or credit card organization
• Quality assurance by PCI SSC

• Evidence of successfully passed external scans performed by an accredited ASV (quarterly)

• Evidence of successfully passed internal scans of relevant systems (quarterly)
• Evidence of successfully passed internal scans of wireless LANs (quarterly)

Compensating measures with at least the same security level of requirements that cannot be fulfilled.

The PCI DSS is based on six primary goals. These goals are:

1. Maintain a Secure Network
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy

There are 12 PCI DSS Requirements which are designed to meet these PCI DSS goals:

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Protect all systems against malware and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need to know.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for all personnel.

Masking refers to the concealment of certain digits of a PAN during display or printing, even when the entire PAN is stored on a system. This is different from truncation! Masked PAN can be “unmasked”.

In the case of truncation, truncated digits are removed and cannot be retrieved within the system. There is no “un-truncation” without recreating the PAN from another source.