The Payment Card Industry Data Security Standard. Protect cardholder data and enable secure payment processing in AI-enhanced environments.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. It was created by the Payment Card Industry Security Standards Council (PCI SSC), founded by major card brands including Visa, Mastercard, American Express, Discover, and JCB.
PCI DSS v4.0, released in March 2022, represents a significant evolution of the standard with enhanced flexibility and security requirements. The standard is mandatory for any organization handling cardholder data, with compliance requirements varying based on transaction volume.
As AI becomes integral to payment processing—from fraud detection to customer service—organizations must ensure their AI systems are properly included in PCI DSS scope and meet all applicable requirements.
PCI DSS v4.0 full compliance is required by March 31, 2025. Organizations must implement all v4.0 requirements by this date. The transition period ends and v3.2.1 will be retired.
PCI DSS v4.0 organizes security controls into 12 principal requirements
Install and maintain network security controls
Apply secure configurations to all system components
Protect stored account data
Protect cardholder data with strong cryptography during transmission
Protect all systems and networks from malicious software
Develop and maintain secure systems and software
Restrict access to system components and cardholder data
Identify users and authenticate access to system components
Restrict physical access to cardholder data
Log and monitor all access to system components and cardholder data
Test security of systems and networks regularly
Support information security with organizational policies and programs
Annual ROC by QSA, quarterly network scans
Annual SAQ, quarterly network scans
Annual SAQ, quarterly network scans
Annual SAQ recommended, quarterly scans if applicable
Customized approach allows flexibility for meeting control objectives
Enhanced authentication requirements (MFA mandatory for all access)
Expanded scope for e-commerce and cloud environments
New requirements for targeted risk analysis
Stronger requirements for service provider relationships
March 2025 deadline for v4.0 full compliance
AI fraud detection systems must not expose cardholder data in training or inference
ML models processing payment data require PCI DSS scope consideration
AI-powered customer service handling card data needs appropriate controls
Requirement 6 applies to AI/ML systems as custom software
Tokenization and encryption requirements apply to AI training data
PCI DSS v4.0 customized approach allows flexibility for AI implementations
Customized Approach: PCI DSS v4.0's customized approach is particularly valuable for AI implementations. Instead of prescriptive controls, you can demonstrate how your AI systems meet security objectives through alternative methods.
PCI DSS compliance is mandatory to accept card payments. Card brands can revoke processing privileges for non-compliant organizations.
Non-compliant organizations face significant fines and liability for data breaches. Compliance reduces both risk and financial exposure.
Partners and customers require PCI DSS compliance verification before sharing payment data or integrating systems.
Demonstrating PCI DSS compliance builds customer confidence in your ability to protect their payment information.
Determine which systems are in scope for PCI DSS, including AI systems that process, store, or transmit cardholder data.
Comprehensive evaluation against PCI DSS v4.0 requirements, identifying gaps and creating prioritized remediation plans.
Design and implement controls for AI systems handling payment data, including data tokenization and secure development practices.
Prepare for QSA assessments or self-assessment questionnaires with documentation review and control testing.
Let's assess your payment systems and ensure you meet the March 2025 deadline.