PCI DSS is an international data security standard designed to protect payment cardholder information. It is used by all organizations that store, process or transmit payment card data. The main purpose of PCI DSS is to ensure the security of financial transactions and protect sensitive cardholder data.
The PCI DSS standard was first introduced in 2004 by the Payment Card Industry Security Standards Council (PCI SSC), in which all major payment systems such as Visa, MasterCard and American Express are represented.
The standard includes many requirements that can be conditionally divided into the following groups:
- Network and system protection. Installing firewalls, removing default passwords, and other data protection measures;
- Protection of stored data. Encryption and protection of cardholder data;
- Access control. Implementation of authentication and authorization mechanisms for data access;
- Physical protection. Ensuring the security of the physical infrastructure;
- Logging and control. Regular logging of events and security monitoring.
There are four levels of PCI DSS compliance, which are determined by the volume of transactions processed:
- Level 1: more than 6 million transactions per year. An external audit with a QSA is required;
- Level 2: from 1 to 6 million transactions. Self-assessment or internal audit is required;
- Level 3: from 20 thousand to 1 million transactions. Self-assessment is required;
- Level 4: up to 20 thousand transactions. The simplest level also requires self-assessment.
PCI DSS is the most important data security standard in the payment card industry and is used worldwide. Compliance with PCI DSS standards is mandatory for working with payment cards and cooperating with banks.