AuditXYZ

Lesson 1 of 5

What Is PCI DSS? A Complete Introduction

10 min readBeginner

What Is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements designed to protect cardholder data. It was created by the PCI Security Standards Council, founded by American Express, Discover, JCB, Mastercard, and Visa. Any organization that stores, processes, or transmits cardholder data must comply.

Why PCI DSS Exists

PCI DSS was created to reduce payment card fraud and data breaches. Before PCI DSS, each card brand had its own security requirements, creating confusion and inconsistency. PCI DSS unified these into a single standard that applies across all major card brands.

Who Must Comply

Every entity that stores, processes, or transmits cardholder data must comply with PCI DSS. This includes merchants (brick-and-mortar and e-commerce), payment processors, acquirers, issuers, and service providers. The scope of compliance depends on how you handle cardholder data.

Merchant Levels

Card brands classify merchants into levels based on annual transaction volume. Level 1 merchants (over 6 million transactions) require an on-site assessment by a Qualified Security Assessor (QSA). Level 2 merchants (1 to 6 million transactions) may self-assess. Level 3 (20,000 to 1 million e-commerce transactions) and Level 4 (under 20,000 e-commerce or up to 1 million other transactions) merchants self-assess using simplified questionnaires.

Cardholder Data

PCI DSS protects cardholder data — the primary account number (PAN), cardholder name, expiration date, and service code. It also protects sensitive authentication data — full track data, CAV2/CVC2/CVV2, and PINs. Sensitive authentication data must never be stored after authorization, even if encrypted.

Consequences of Non-Compliance

Non-compliance can result in fines from card brands ($5,000 to $100,000 per month), increased transaction fees, loss of the ability to process card payments, and liability for fraud losses in the event of a breach. The reputational damage from a cardholder data breach can be severe.

In the next lesson, we will cover the 12 PCI DSS requirements.