What is PCI DSS?

PCI DSS Requirements Structure

PCI DSS v4.0, the current version effective March 2024, organizes 12 requirements across six control objectives. Build and Maintain a Secure Network and Systems: install and maintain network security controls; apply secure configurations to all system components. Protect Account Data: protect stored account data; protect cardholder data with strong cryptography during transmission. Maintain a Vulnerability Management Program: protect all systems and networks from malicious software; develop and maintain secure systems and software. Implement Strong Access Control Measures: restrict access to system components and cardholder data; identify users and authenticate access to system components; restrict physical access to cardholder data. Regularly Monitor and Test Networks: log and monitor all access to system components and cardholder data; test security of systems and networks regularly. Maintain an Information Security Policy.

Compliance Validation Levels

PCI DSS compliance is validated through different mechanisms depending on transaction volume. Level 1 merchants processing more than 6 million transactions annually must undergo an annual on-site audit by a Qualified Security Assessor and quarterly network scans. Lower volume merchants may self-assess using Self-Assessment Questionnaires of varying complexity depending on payment acceptance methods. The QSA audit is the most rigorous validation path and is required for the largest organizations and any organization that has experienced a breach.

Scope Reduction: The Most Impactful PCI DSS Strategy

PCI DSS compliance requirements apply to all systems in scope — systems that store, process, or transmit cardholder data, or systems that could affect the security of cardholder data. The most impactful PCI DSS compliance strategy is scope reduction: minimizing the number of systems subject to PCI DSS requirements by limiting cardholder data to as few systems as possible.

Tokenization replaces cardholder data in business systems with a random token that has no value to attackers. The actual cardholder data is stored in a tokenization vault operated by a payment processor or specialized tokenization provider, keeping it out of the merchant's environment entirely. When scope reduction through tokenization is implemented effectively, a merchant's PCI DSS scope may be reduced to only the payment terminals that capture cardholder data before tokenization, dramatically reducing the compliance burden.

PCI DSS for PE Portfolio Companies

PE-backed companies that process payment cards — retailers, hospitality companies, healthcare providers, SaaS companies with payment functionality — have PCI DSS obligations proportional to their transaction volume and payment acceptance methods. Acquiring PCI DSS obligations through an M&A transaction is common; inheriting a non-compliant cardholder data environment is a significant risk.

PCI DSS due diligence should evaluate: What is the current compliance validation status? When was the last QSA assessment or SAQ completed? Has the organization experienced a payment card breach? What is the scope of the cardholder data environment? Are there plans for scope reduction through tokenization? Is the acquiring bank aware of the compliance status? These questions reveal whether PCI DSS compliance is current, lapsed, or never established.

Real-World Example: Target 2013 — The PCI Compliance That Wasn't

Target had passed a PCI DSS assessment conducted by a Qualified Security Assessor shortly before its 2013 breach. The breach compromised 40 million payment card records. Investigation revealed that while Target had passed the QSA assessment, the assessment had not identified the network segmentation failures that allowed attackers to move from a contractor's remote access to the payment card processing environment. The case prompted significant revision to QSA audit methodology and raised fundamental questions about whether PCI DSS assessment validates actual security or compliance documentation.