Skip to Content
Governance and Compliance

What Is PCI DSS (the Card Security Standard)?

PCI DSS (the Payment Card Industry Data Security Standard) is the security standard that protects payment card data. It is not a law: it is a contractual requirement created by the card brands and enforced by the banks, and it applies to any company that stores, processes or transmits card data, from e-commerce to a physical store. The current version, v4.0.1, organizes protection into 12 requirements grouped under 6 control objectives, and since March 31, 2025 the requirements that were previously optional best practices are also mandatory in an assessment.

Zamak TechnologiesUpdated on July 10, 2026

How PCI DSS works in practice

PCI DSS starts from a simple question: where does card data enter, sit and leave the company? Everything that touches that flow forms the cardholder data environment (the CDE), and that is what has to be protected and validated. The cycle has four steps.

1

Find the scope (the CDE)

Map where card data travels and where it is stored. Shrinking that territory, for example by outsourcing payment to a certified provider, shrinks the compliance effort.

2

Apply the 12 requirements

Secure network, protection of stored data, vulnerability management, access control, monitoring and a security policy: those are the six goals that the 12 requirements detail.

3

Validate at the right level

Depending on transaction volume, the company validates through a self-assessment questionnaire (SAQ) or an audit by a qualified assessor (QSA), together with vulnerability scans by an approved vendor (ASV).

4

Maintain it all year

PCI DSS is not an annual snapshot. v4.0.1 reinforces that controls must operate continuously, not just in the week of the audit.

Source: PCI Security Standards Council (PCI SSC), PCI DSS v4.0.1.

The 6 goals that organize the 12 requirements

  • Secure network and systems Keep a firewall and hardened configurations, with no vendor default passwords.
  • Protect account data Encrypt stored card data and its transmission across open networks.
  • Vulnerability management Keep anti-malware current and software patched against known flaws.
  • Strong access control Grant access to the data only to those who need it, with unique IDs and physical restriction.
  • Monitor and test Log and track all access to the network and test security regularly.
  • Information security policy A written policy that guides people and holds everything else together.

Why card data stays a target

US$33.4B
was the global card fraud loss in 2024 (Nilson Report)
12
requirements organized into 6 control objectives define PCI DSS v4.0.1 (PCI SSC)
Mar 31, 2025
is the date the previously optional v4.x requirements became mandatory in an assessment (PCI SSC)

As long as there are cards, there is fraud. Global card fraud losses reached US$33.4 billion in 2024 (Nilson Report), on more than US$51 trillion in volume. For a company that suffers a card data breach, the bill is not just the fraud: it brings brand fines, the cost of a forensic investigation, the possible loss of the right to accept cards and reputational damage. And PCI DSS exempts no one by size: the bakery running a card terminal and the marketplace with millions of transactions answer to the same standard, at different validation levels.

How a company prepares for PCI DSS

PCI DSS compliance is less about a one-time project and more about reducing what you have to protect. The most direct path:

  1. Shrink the scope firstThe less a company stores and touches card data, the smaller the effort. Outsourcing payment to a certified provider takes much of the CDE out of the house.
  2. Find your validation levelTransaction volume decides whether the company validates through self-assessment or an external auditor. Knowing the level avoids demanding more (or less) of yourself than the brand requires.
  3. Close the controls in the 12 requirementsFrom MFA on data access to vulnerability patching, each requirement becomes a control with evidence, not a promise.
  4. Treat it as a continuous routinev4.0.1 wants controls running all year. Monitoring and collecting evidence continuously is what avoids the scramble the night before the audit.

In practice

The question that reveals the real risk: does the company know exactly where card data flows today, or would it find out only in the middle of a fraud investigation?

How Zamak handles PCI DSS compliance

Zamak Technologies supports the PCI DSS journey as part of Governance and Compliance in the Zamak Method: control mapping, continuous evidence collection and an audit trail on a compliance platform. A good starting point is the Compliance Audit Express, which shows in minutes where the company is most exposed.

Frequently asked questions about PCI DSS

Is PCI DSS a law?
No. It is a security standard created by the card brands and required by contract through the acquiring banks. Non-compliance does not bring a government fine, but it can bring a brand fine and the loss of the right to accept cards.
My company is small, does PCI DSS apply to me?
Yes. The standard applies to any company that accepts, processes or transmits card data. What changes with size is the validation level, not the duty to protect the data.
If I use a payment provider, do I still need to worry?
Yes, but less. Outsourcing payment to a certified provider greatly reduces your scope, but the company still answers for how it integrates that provider and for not storing card data it should not.
What is the CDE?
It is the cardholder data environment: every system, network and process that stores, processes or transmits card data, or that can affect the security of that data. Scoping the CDE is the first step of PCI DSS.
What is the difference between a SAQ and a QSA audit?
The SAQ is a self-assessment questionnaire, used by lower-volume companies; an audit by a QSA (qualified security assessor) is required at higher volumes. Both validate the same standard, at different depth.
Can I store the card security code (CVV)?
No. PCI DSS prohibits storing sensitive authentication data, such as the CVV, after the transaction is authorized, even encrypted. It is one of the most direct rules in the standard.