Cookie Preferences

    We use cookies for analytics and to identify companies visiting our site (not individuals). Essential cookies are always active. Learn more

    Payment Card Industry

    PCI DSS

    The Payment Card Industry Data Security Standard. Protect cardholder data and enable secure payment processing in AI-enhanced environments.

    Try AI Trust Assessment

    What Is PCI DSS?

    The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. It was created by the Payment Card Industry Security Standards Council (PCI SSC), founded by major card brands including Visa, Mastercard, American Express, Discover, and JCB.

    PCI DSS v4.0, released in March 2022, represents a significant evolution of the standard with enhanced flexibility and security requirements. The standard is mandatory for any organization handling cardholder data, with compliance requirements varying based on transaction volume.

    As AI becomes integral to payment processing—from fraud detection to customer service—organizations must ensure their AI systems are properly included in PCI DSS scope and meet all applicable requirements.

    Important Deadline

    PCI DSS v4.0 full compliance is required by March 31, 2025. Organizations must implement all v4.0 requirements by this date. The transition period ends and v3.2.1 will be retired.

    The 12 PCI DSS Requirements

    PCI DSS v4.0 organizes security controls into 12 principal requirements

    1

    Network Security Controls

    Install and maintain network security controls

    2

    Secure Configurations

    Apply secure configurations to all system components

    3

    Account Data Protection

    Protect stored account data

    4

    Transmission Encryption

    Protect cardholder data with strong cryptography during transmission

    5

    Malware Protection

    Protect all systems and networks from malicious software

    6

    Secure Systems

    Develop and maintain secure systems and software

    7

    Access Restriction

    Restrict access to system components and cardholder data

    8

    User Identification

    Identify users and authenticate access to system components

    9

    Physical Access

    Restrict physical access to cardholder data

    10

    Logging & Monitoring

    Log and monitor all access to system components and cardholder data

    11

    Security Testing

    Test security of systems and networks regularly

    12

    Information Security

    Support information security with organizational policies and programs

    Merchant Compliance Levels

    Level 1

    6+ million transactions/year

    Annual ROC by QSA, quarterly network scans

    Level 2

    1-6 million transactions/year

    Annual SAQ, quarterly network scans

    Level 3

    20K-1M e-commerce transactions/year

    Annual SAQ, quarterly network scans

    Level 4

    <20K e-commerce or <1M other transactions/year

    Annual SAQ recommended, quarterly scans if applicable

    What's New

    Key Changes in PCI DSS v4.0

    Customized approach allows flexibility for meeting control objectives

    Enhanced authentication requirements (MFA mandatory for all access)

    Expanded scope for e-commerce and cloud environments

    New requirements for targeted risk analysis

    Stronger requirements for service provider relationships

    March 2025 deadline for v4.0 full compliance

    AI-Specific Considerations

    PCI DSS and AI Systems

    AI fraud detection systems must not expose cardholder data in training or inference

    ML models processing payment data require PCI DSS scope consideration

    AI-powered customer service handling card data needs appropriate controls

    Requirement 6 applies to AI/ML systems as custom software

    Tokenization and encryption requirements apply to AI training data

    PCI DSS v4.0 customized approach allows flexibility for AI implementations

    Customized Approach: PCI DSS v4.0's customized approach is particularly valuable for AI implementations. Instead of prescriptive controls, you can demonstrate how your AI systems meet security objectives through alternative methods.

    Why You Need PCI DSS Compliance

    Payment Processing

    PCI DSS compliance is mandatory to accept card payments. Card brands can revoke processing privileges for non-compliant organizations.

    Breach Liability

    Non-compliant organizations face significant fines and liability for data breaches. Compliance reduces both risk and financial exposure.

    Business Partnerships

    Partners and customers require PCI DSS compliance verification before sharing payment data or integrating systems.

    Customer Trust

    Demonstrating PCI DSS compliance builds customer confidence in your ability to protect their payment information.

    How ZIVIS Helps

    Scope Assessment

    Determine which systems are in scope for PCI DSS, including AI systems that process, store, or transmit cardholder data.

    Gap Analysis

    Comprehensive evaluation against PCI DSS v4.0 requirements, identifying gaps and creating prioritized remediation plans.

    AI Security Controls

    Design and implement controls for AI systems handling payment data, including data tokenization and secure development practices.

    Assessment Preparation

    Prepare for QSA assessments or self-assessment questionnaires with documentation review and control testing.

    Ready for PCI DSS v4.0 Compliance?

    Let's assess your payment systems and ensure you meet the March 2025 deadline.

    Learn About Our Framework