← Glossary·Frameworks

PCI DSS

Also known as: Payment Card Industry Data Security Standard · PCI DSS 4.0.1
PCI DSS

Card-brand mandated standard for any entity that stores, processes, or transmits cardholder data.

PCI DSS 4.0.1 is the PCI Security Standards Council's mandated standard for the protection of cardholder data (CHD) and sensitive authentication data (SAD). It defines 12 high-level requirements grouped into six control objectives, scoped to the cardholder data environment (CDE).

Why it matters
Failing PCI DSS triggers card-brand fines ($5K–$100K/month per acquirer) and — more damaging — loss of merchant processing privileges. Breach scope expands materially if SAD is found stored post-authorisation.

Related terms

Cardholder Data (CHD)
PAN — alone or together with cardholder name, expiration, service code — defined by PCI DSS.
CDE (Cardholder Data Environment)
The people, processes, and technology that store, process, or transmit cardholder data — and connected systems.
Tokenisation
Replacing sensitive data (typically PAN) with a non-sensitive surrogate value (token).
PCI SAQ (Self-Assessment Questionnaire)
PCI DSS self-assessment for merchants meeting eligibility criteria; nine SAQ types (A, A-EP, B, B-IP, C, C-VT, D, P2PE).

Does your program actually cover PCI DSS?

Run a free ComplianceIQ audit against PCI DSS and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free PCI DSS auditBack to glossary