ORSYS le mag 2025 logo

The training and skills medium

Home > Cybersecurity glossary > PCI DSS 🟦 Standard

PCI DSS 🟦 Standard

PCI DSS (Payment Card Industry Data Security Standard) is an international safety standard established by the PCI Security Standards Council (PCI SSC)founded in 2006 by American Express, Discover, JCB International, Mastercard and Visa. Its aim is to protect payment card data and enhance transaction security.

This standard applies to any entity that stores, processes or transmits payment card data, including :

  • Retailers of all sizes
  • Payment service providers
  • Transaction processors
  • Payment software developers
  • Hosted service providers

It is regularly updated to respond to emerging threats. The latest version is : PCI DSS v4.0 in 2022

 

🎯 Main objectives

 

1. Creating and managing a secure network

  • Requirement1 : installing and managing network security systems and firewall to protect data
  • Requirement 2: apply secure configurations and do not use the parameters provided by suppliers

2. Protection of the holder's data

  • Requirement 3: protect stored cardholder data
  • Requirement 4: encrypt the transmission of cardholder data over open and public networks

3. Vulnerability management

  • Requirement 5: protect all systems against malicious software and regularly update antivirus programmes
  • Requirement 6: develop and maintain secure systems and applications

4. Robust access control

  • Requirement 7: restrict access to data on a need-to-know basis
  • Requirement 8: identify and authenticate access to system components
  • Requirement 9: restrict physical access to cardholder data

5. Network monitoring and testing

  • Requirement 10: track and monitor all access to network resources and cardholder data
  • Requirement11 : regular testing of safety systems and processes

6. Security policy

  • Requirement12 : maintain an information security policy for all staff

 

📝 Validation and compliance

 

PCI DSS compliance is validated by external audits for large entities or self-assessments (SAQ) for smaller entities, depending on the volume of transactions.. Organisations must comply with PCI DSS 4.0 by 31 March 2024, with additional requirements to be implemented by 31 March 2025.

Non-compliance can result in fines, penalties and restrictions on access to payment networks. It is therefore crucial for organisations to start implementing the new security requirements as soon as possible to ensure they are compliant by the deadline..

 

Back to Glossary

field of training

Cybersecurity

associated training

Systems and network security, level 1

Hacking and security, level 1

Information systems security, summary

BEST

Towards the ORSYS Cyber Academy: a free space dedicated to cybersecurity