What are the PCI DSS standards


Content and scope

The Payment Card Industry Data Security Standard (PCI DSS) represents a security framework and contains a comprehensive list of requirements for controls in the areas of physical and logical security. The aim of the standard is to improve the security of credit card data and online payment transactions, provided that these are processed using credit card payments.
The PCI DSS was developed by the leading credit card companies and first published in 2005. It is aimed at all companies that process, save or transmit credit card data.


The standard does not provide any concrete methodology. Rather, it defines six abstract control objectives, divided into twelve requirement areas with over 230 detailed requirements. The control objectives are to be implemented for the entire environment that processes, stores or transmits credit card data or that is connected to it.

The requirement areas are:

  • Installation and maintenance of a firewall configuration
  • Do not use any vendor-supplied default settings for system passwords and other security parameters
  • Protection of stored cardholder data
  • Encryption of cardholder data when transmitted over public networks
  • Use and regularly update anti-virus software
  • Development and maintenance of secure systems and applications
  • Restrict access to cardholder data based on business information needs
  • Assignment of a unique ID for each person with computer access
  • Restricting physical access to cardholder data
  • Track and monitor all access to network resources and cardholder data
  • regular testing of security systems and processes
  • Follow an information security policy for employees and subcontractors
  • The concrete form of the measures must be company-specific.

The standard also requires the use of security technologies such as virus scanners, firewalls, application layer firewalls or vulnerability scanners.
If, for technical or business reasons, individual controls cannot be met, so-called compensation controls can be introduced, but these must be at least as strong as the controls to be replaced.


Retailers or service providers who carry out more than 1,000,000 transactions per year have to have their network security checked by an Approved Scanning Vendor (ASV). The experts at an ASV carry out a vulnerability scan of the network.
Compliance with the other requirements of the standard is checked and certified by external parties (so-called Qualified Security Assessor (QSA)).
To maintain the certificate, the vulnerability scan must be repeated quarterly and the fulfillment of the additional requirements must be certified annually by an assessor.
Companies with fewer than 1,000,000 transactions must confirm the requirements through an annual self-assessment and a quarterly vulnerability scan by an ASV.

Further remarks

Affected companies that do not adhere to the requirements of this standard can be subject to penalties and sanctions - up to and including the exclusion of participation in credit card payment transactions.
The standard is available free of charge on the website of the PCI Security Standard Council www.pcisecuritystandards.org.

Previous editions

PCI DSS 1.0: 2006
PCI DSS 1.1: 2007
PCI DSS 1.2: 2008