PCI DSS
PCI DSS v4.0
The payment-card industry's security standard for protecting cardholder data, structured into 12 core requirements across six control objectives.
Who it applies to
Any organization worldwide that stores, processes or transmits payment card data, and any entity that can affect the security of cardholder data. Enforced by the card brands through acquiring banks, not by law.
Build and maintain a secure network
Protect account data
- Req. 3 Protect stored account data15 mapped
Render stored cardholder data unreadable, including through strong cryptography and key management.
- Req. 4 Protect cardholder data with strong cryptography during transmission15 mapped
Use strong cryptography to protect cardholder data when transmitted over open, public networks.
Implement strong access control
- Req. 7 Restrict access by business need to know16 mapped
Limit access to system components and cardholder data to only those individuals whose job requires it.
- Req. 8 Identify users and authenticate access16 mapped
Assign a unique ID to each user and authenticate access to system components, including multi-factor authentication.
Regularly monitor and test networks
- Req. 10 Log and monitor all access to system components and cardholder data11 mapped
Implement audit logs and monitor all access to network resources and cardholder data to detect and investigate anomalies.
- Req. 11 Test security of systems and networks regularly10 mapped
Regularly test security, including vulnerability scans and penetration testing of systems and networks.