Quiz Entry - updated: 2026.07.05
What is PCI DSS?
PCI DSS = Payment Card Industry Data Security Standard — a mandatory ruleset for any organisation that stores, processes, or transmits credit card data, written by the major card brands (Visa, Mastercard, Amex, Discover, JCB).
PCI DSS arose because of widespread cardholder data breaches in the early 2000s. The card industry didn't wait for a regulator — they made compliance a contractual requirement: no PCI DSS, no merchant agreement.
Coverage includes:
- Build and maintain a secure network (firewalls, no vendor defaults)
- Protect cardholder data (encryption at rest and in transit)
- Vulnerability management programme (AV, patch hygiene)
- Strong access control (need-to-know, unique IDs, physical access)
- Monitoring and testing of networks
- Information security policy
Tip: PCI DSS levels (1–4) depend on transaction volume. Level 1 (~6M transactions/year) requires an annual on-site audit by a Qualified Security Assessor (QSA); Level 4 (<20K e-commerce transactions) needs only a self-assessment questionnaire (SAQ).
Go deeper:
PCI Security Standards Council (official) — the body that writes PCI DSS, plus the SAQs and QSA programme behind the compliance levels.
Payment Card Industry Data Security Standard (Wikipedia) — the twelve requirements and what counts as cardholder data.