PCI DSS Basics
What is 30-PCI DSS Certification?
The Payment Card Industry Data Security Standard (PCI DSS) is a global set of security requirements for any organization that stores, processes, or transmits payment card data. It defines a baseline of technical and operational controls to protect cardholder data from breaches, fraud, and misuse across the entire payment lifecycle.
PCI DSS Certification is maintained by the PCI Security Standards Council (PCI SSC), which is backed by major card brands such as Visa, Mastercard, American Express, Discover, and JCB. While the Council publishes the standard and supporting documents, individual acquirers and card brands enforce PCI DSS compliance through their own programs.
Who needs PCI DSS Certification Services?
PCI DSS applies to any entity that handles cardholder data or sensitive authentication data, regardless of size, transaction volume, or geography. This includes:
- Merchants that accept card payments (e commerce, retail, hospitality, BFSI, SaaS, fintech, BPO, etc.).
- Service providers such as payment gateways, processors, hosting providers, cloud platforms, and outsourcing partners that can impact the security of card data.
If an environment can affect the confidentiality, integrity, or availability of cardholder data, it is typically considered “in scope” for PCI DSS Certification.
PCI DSS Certification Versions
PCI DSS has evolved over time to address new technologies, attack patterns, and regulatory expectations. Earlier versions such as 3.2.1 have now been superseded by PCI DSS 4.0 and its maintenance release 4.0.1, which refine compliance requirements and clarify implementation guidance.
The 4.x versions introduce changes such as stronger authentication expectations, enhanced logging and monitoring, risk-based “customized approaches,” and new requirements related to e‑commerce skimming and change management. Organizations that were previously certified under 3.2.1 must transition their environments and assessments to the 4.x baseline according to the timelines set by the card brands and PCI SSC.
PCI DSS Certification levels
🔒
Card brands classify organizations into “levels” based mainly on annual card transaction volumes, which drive validation and reporting requirements. While the exact thresholds can vary slightly by brand and by whether an entity is a merchant or service provider, common patterns for merchants include:
01
Level 1:
Highest volume merchants (typically over 6 million transactions per year per brand, or designated as Level 1 due to risk or breach history). These usually require an annual onsite assessment by a Qualified Security Assessor (QSA) and a formal Report on PCI DSS Compliance, plus quarterly ASV scans.
02
Levels 2–4:
Lower-volume merchants, often allowed to validate using Self-Assessment Questionnaires (SAQs) plus quarterly ASV scans, with additional requirements determined by acquirers or brands.
Service providers have their own level thresholds and expectations, and usually need a QSA-led assessment and ROC when they play a critical role in protecting card data for multiple clients.
Scope and the cardholder data environment (CDE)
A central concept in PCI DSS certification is “scope,” which determines which systems, processes, and people are covered by the standard. The cardholder data environment (CDE) is the set of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data.
Any connected systems that can impact the security of the CDE, even if they do not directly handle card data, are usually considered “in scope” as well. Common techniques to reduce PCI DSS scope include strong network segmentation, using tokenization, outsourcing payment processing to PCI-compliant providers, and using hosted payment pages or redirect flows.
Understanding basic PCI DSS terminology helps interpret requirements and validation documents more accurately. Some foundational terms include:
Key PCI DSS terminology
Understanding basic PCI DSS terminology helps interpret requirements and validation documents more accurately. Some foundational terms include:
Cardholder Data (CHD):
- Data elements such as the Primary Account Number (PAN), cardholder name, service code, and expiration date used to identify the cardholder.
Sensitive Authentication Data (SAD):
- Highly sensitive elements such as full track data, CVV/CVC/CAV/CID codes, and PIN/PIN block that are used to authenticate a cardholder and must not be stored after authorization.
PAN (Primary Account Number):
- The long number embossed or printed on the card; when this can be linked to a cardholder, it must be protected per PCI DSS requirements.
Merchant vs Service Provider:
- Merchants accept card payments for their own goods or services, whereas service providers store, process, or transmit card data on behalf of others or can impact card security.
SAQ (Self-Assessment Questionnaire):
- A structured questionnaire used by eligible entities to self-validate PCI DSS controls for their environment and payment channels.
ROC (Report on Compliance) and AOC (Attestation of Compliance):
- Formal documents produced after a QSA assessment (or self-assessment in some cases) that summarize how an organization meets PCI DSS.
QSA (Qualified Security Assessor) and ASV (Approved Scanning Vendor):
- PCI SSC-qualified organizations or individuals authorized to perform PCI DSS assessments and external vulnerability scans, respectively.