PCI DSS - Payment Card Industry Data Security Standard
In force since 31 March 2024
Agent Navigation: For section discovery, use /regulations/global/pci-dss/llms.txt
Quick Reference
PCI DSS is the global security standard for any organization that stores, processes, or transmits payment card data. Maintained by the PCI Security Standards Council and enforced by card brands through acquiring banks.
Applies to: Any organization handling payment card data (merchants, processors, service providers)
Key rules:
- Must implement 12 security requirements covering network, data, access, and policies [Req 1-12]
- Must encrypt stored cardholder data; NEVER store CVV after authorization [Req 3]
- Must use MFA for all access to cardholder data environment [Req 8.4]
- Must conduct quarterly vulnerability scans by Approved Scanning Vendor [Req 11.3]
- Must perform annual penetration testing [Req 11.4]
| Question | Answer | Citation |
|---|---|---|
| Can we store CVV/CVC? | Never after authorization | Req 3.2 |
| Is MFA required for CDE? | Yes, for all access | Req 8.4 |
| How often vulnerability scans? | Quarterly (external by ASV) | Req 11.3 |
| How long to keep logs? | 12 months (3 months online) | Req 10.5 |
| Patch deadline for critical? | 30 days | Req 6.3 |
| Need incident response plan? | Yes, tested annually | Req 12.10 |
Regulation Map (All Chunks)
Every section of PCI DSS coverage is listed here for full-text lookup and agent navigation.
Definitions
Requirements
- PCI DSS: Access Control
- PCI DSS: Data Protection
- PCI DSS: Monitoring and Testing
- PCI DSS: Network Security
- PCI DSS: Information Security Policies
- PCI DSS: Vulnerability Management