The Payment Card Industry (PCI) Security Standards Council (SSC) develops standards and resources that help protect the people, processes, and technologies across the payment ecosystem to help secure payment transactions worldwide. The PCI SSC is led by a policy-setting Executive Committee composed of representatives from the Founding Members and Strategic Members which includes American Express, Discover Financial Services, JCB International, Mastercard, UnionPay, and Visa Inc.
The PCI Data Security Standard (DSS) is a global standard that was established to protect payment account data. The PCI DSS is comprised of twelve technical and operational requirements that are spread across six different goals.
If an entity stores, processes, or transmits the payment card Primary Account Number (PAN), then a Cardholder Data Environment (CDE) exists to which PCI DSS requirements will apply.
The current version of the PCI DSS is 4.0. This version was officially released in 2022 with a transition period of two years. The previous version, 3.2.1, expires on 3/31/2024. Some requirements in v4.0 are considered best practices until 3/31/2025, after which they will be required and must be fully considered during a PCI DSS assessment.
Some of the changes incorporated into Version 4.0 of the PCI DSS include:
- Continue to meet the security needs of the payment industry.
- Promote security as a continuous process.
- Increase flexibility for organizations using different methods to achieve security objectives.
- Enhance validation methods and procedures.
For a comprehensive view of changes in the new version as well as other standards and supporting documentation, please refer to the PCI SSC Document Library.
Compliance questions, including questions about whether it is acceptable to submit a PCI DSS v3.2.1 assessment report after the standard is retired on 3/31/2024, should be directed to the organizations that manage the compliance program, such as payment brands and acquirers.