標準簡介
PCI DSS(支付卡產業資料安全標準)是由支付卡產業安全標準委員會(PCI SSC)制定的全球資訊安全標準,該委員會於 2006 年由主要支付卡品牌 Visa、Mastercard、American Express、Discover 和 JCB 創立。2022 年 3 月發布、2024 年 3 月 31 日強制執行的 4.0 版本是自 PCI DSS 3.0 以來最重大的更新。該標準適用於所有儲存、處理或傳輸持卡人資料的實體,包括商戶、支付處理商、收單機構、發卡機構和服務提供商。PCI DSS 包含 6 大控制目標下的 12 項核心要求:建構和維護安全網路、保護持卡人資料、維護漏洞管理程式、實施強存取控制措施、定期監控和測試網路、維護資訊安全策略。
PCI DSS 4.0 引入了客製化方法,允許組織透過替代控制措施來滿足安全目標,同時保留傳統的規定方法。主要更新包括增強的身分驗證要求(對持卡人資料環境的所有存取實施多因素身分驗證)、擴展的加密要求、新的電子商務和防釣魚保護,以及自動化日誌審查。合規驗證取決於交易量:一級商戶(每年超過 600 萬筆交易)需要由合格安全評估師(QSA)進行年度現場評估,並由認可掃描供應商(ASV)進行季度網路掃描。二至四級商戶可以完成自我評估問卷(SAQ)。不合規可能導致每月 5,000 至 100,000 美元的罰款、交易費用增加,以及可能喪失接受卡片的權限。PCI DSS 4.0 未來日期要求的過渡期延長至 2025 年 3 月 31 日。
Cardholder Data Protection
Focuses specifically on protecting credit/debit card account numbers, cardholder names, expiration dates, and service codes throughout the transaction lifecycle.
Network Segmentation
Strongly encourages isolating the cardholder data environment (CDE) from the rest of the network to reduce scope and simplify compliance.
Strong Cryptography
Requires encryption of cardholder data in transit over open networks and at rest, with defined key management procedures.
list_alt The 12 Requirements
- Install and maintain network security controls
- Apply secure configurations to all components
- Protect stored account data
- Encrypt cardholder data over open networks
- Protect from malicious software
- Develop and maintain secure systems
- Restrict access by business need-to-know
- Identify users and authenticate access
Who Needs to Comply?
Any organization that stores, processes, or transmits payment card data — merchants, payment processors, acquirers, issuers, and service providers regardless of transaction volume.
Key Requirements
Cardholder Data Environment Scoping
Identify all system components, people, and processes that store, process, or transmit cardholder data. Proper scoping is the foundation — reducing scope reduces compliance burden.
Vulnerability Management
Run internal and external vulnerability scans quarterly (external by an ASV). Conduct penetration testing annually. Address critical vulnerabilities within defined timeframes.
Access Control
Restrict access to cardholder data to only those individuals whose job requires it. Implement multi-factor authentication for all access to the CDE and for remote network access.
Logging and Monitoring
Log all access to network resources and cardholder data. Review logs daily. Retain audit trail history for at least 12 months with 3 months immediately available.
Incident Response Plan
Establish, document, and test an incident response plan. Include procedures for containment, forensics, notification of card brands, and post-incident review.
Penalties & Enforcement
Non-compliant organizations face fines from $5,000 to $100,000 per month from card brands. After a breach, costs include forensic investigation ($20K-$500K+), fraud liability, increased processing fees, and potential loss of card acceptance privileges.