What is the PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is an international information security standard designed to reduce payment card fraud, administered by the PCI Security Standards Council (PCI SSC).
The PCI DSS consists of a standardized, industry-wide set of requirements and processes for various security controls, ensuring that payment card and cardholder data are protected. In total, there are 6 control objectives, which are split into 12 requirements. These are further divided into hundreds of sub-requirements. However, you may only need to comply with a small subset of the requirements, depending on how you take payments, discussed further in Reducing the compliance burden.
Organizations within scope of the Standard must annually validate their compliance, either via an audit led by a qualified third party or by completing a self-assessment questionnaire (SAQ). Because the exact PCI DSS requirements can vary so much per organization, depending on how payment is taken and cardholder data is processed, there are nine different SAQs, with some shorter and more straightforward to complete than others. These are discussed further in Choosing the right SAQ(s).
