标准简介
PCI DSS(支付卡行业数据安全标准)是由支付卡行业安全标准委员会(PCI SSC)制定的全球信息安全标准,该委员会于 2006 年由主要支付卡品牌 Visa、Mastercard、American Express、Discover 和 JCB 创立。2022 年 3 月发布、2024 年 3 月 31 日强制执行的 4.0 版本是自 PCI DSS 3.0 以来最重大的更新。该标准适用于所有存储、处理或传输持卡人数据的实体,包括商户、支付处理商、收单机构、发卡机构和服务提供商。PCI DSS 包含 6 大控制目标下的 12 项核心要求:构建和维护安全网络、保护持卡人数据、维护漏洞管理程序、实施强访问控制措施、定期监控和测试网络、维护信息安全策略。
PCI DSS 4.0 引入了定制化方法,允许组织通过替代控制措施来满足安全目标,同时保留传统的规定方法。主要更新包括增强的身份验证要求(对持卡人数据环境的所有访问实施多因素身份验证)、扩展的加密要求、新的电子商务和防钓鱼保护,以及自动化日志审查。合规验证取决于交易量:一级商户(每年超过 600 万笔交易)需要由合格安全评估师(QSA)进行年度现场评估,并由认可扫描供应商(ASV)进行季度网络扫描。二至四级商户可以完成自我评估问卷(SAQ)。不合规可能导致每月 5,000 至 100,000 美元的罚款、交易费用增加,以及可能丧失接受卡片的权限。PCI DSS 4.0 未来日期要求的过渡期延长至 2025 年 3 月 31 日。
Cardholder Data Protection
Focuses specifically on protecting credit/debit card account numbers, cardholder names, expiration dates, and service codes throughout the transaction lifecycle.
Network Segmentation
Strongly encourages isolating the cardholder data environment (CDE) from the rest of the network to reduce scope and simplify compliance.
Strong Cryptography
Requires encryption of cardholder data in transit over open networks and at rest, with defined key management procedures.
list_alt The 12 Requirements
- Install and maintain network security controls
- Apply secure configurations to all components
- Protect stored account data
- Encrypt cardholder data over open networks
- Protect from malicious software
- Develop and maintain secure systems
- Restrict access by business need-to-know
- Identify users and authenticate access
Who Needs to Comply?
Any organization that stores, processes, or transmits payment card data — merchants, payment processors, acquirers, issuers, and service providers regardless of transaction volume.
Key Requirements
Cardholder Data Environment Scoping
Identify all system components, people, and processes that store, process, or transmit cardholder data. Proper scoping is the foundation — reducing scope reduces compliance burden.
Vulnerability Management
Run internal and external vulnerability scans quarterly (external by an ASV). Conduct penetration testing annually. Address critical vulnerabilities within defined timeframes.
Access Control
Restrict access to cardholder data to only those individuals whose job requires it. Implement multi-factor authentication for all access to the CDE and for remote network access.
Logging and Monitoring
Log all access to network resources and cardholder data. Review logs daily. Retain audit trail history for at least 12 months with 3 months immediately available.
Incident Response Plan
Establish, document, and test an incident response plan. Include procedures for containment, forensics, notification of card brands, and post-incident review.
Penalties & Enforcement
Non-compliant organizations face fines from $5,000 to $100,000 per month from card brands. After a breach, costs include forensic investigation ($20K-$500K+), fraud liability, increased processing fees, and potential loss of card acceptance privileges.