Skip to main content

Payment Card Industry Data Security Standards

New Standards (Version 3.2.1)


PCI DSS Self-Assessments

All merchants should complete the designated self-assessment for their merchant.  Completion of the appropriate self-assessment ensures that you fully understand your processes and operations, that you are educated and are held accountable concerning PCI policy and procedures, and that you recognize and remediate any security flaws.

Category 1 - All credit card processing is outsourced.

Category 2 - Merchant only processes payments using a dial up (copper phone line or cellular) terminal.

Category 3 - Merchant only processes payments using an IP terminal.

Category 4 - Merchant only processes payments using a web-based (virtual terminal), and does not store cardholder data electronically.

Category 5 - Merchant only processes payments using systems connected to the internet and NO electronic cardholder data storage.

Category 6 - Merchant stores electronic cardholder data.

Category P2PE - Merchants who only process payments using hardware payment terminals included in a validated and PCI SSC-listed PCI point-to-point encryption (P2PE) solution.

Category A-EP - Merchants who are e-commerce merchants who are not using URL redirection or iFrame, but instead use Direct post or JavaScript to interact with the gateway.  

Category SPoC - Merchants who use software-based PIN entry on COTS (SPoC) solutions.  


PCI Data Security Standards Overview

The PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security.  These materials include a framework of specifications, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information at every step.

PCI Data Security Standard - High Level Overview:
  1. Build and Maintain a Secure Network
    1. Install and maintain a firewall configuration to protect data
    2. Do not use vendor-supplied defaults for system passwords and other security parameters
  2. Protect Cardholder Data
    1. Protect stored cardholder data
    2. Encrypt transmission of cardholder data across open, public networks
  3. Maintain a Vulnerability Management Program
    1. Use and regularly update anti-virus software or programs
    2. Develop and maintain secure systems and applications
  4. Implement Strong Access Control Measures
    1. Restrict access to cardholder data by business need to know
    2. Assign a unique ID to each person with computer access
    3. Restrict physical access to cardholder data
  5. Regularly Monitor and Test Networks
    1. Track and monitor all access to network resources and cardholder data
    2. Regularly test security systems and processes
  6. Maintain an Information Security Policy
    1. Maintain a policy that addresses information security for all personnel


PCI DSS applies where ever account data is stored, processed, or transmitted.  Account Data consists of Cardholder Data plus Sensitive Authentication Data, as follows:

Cardholder Data Includes: Sensitive Authentication Data Includes:
Primary Account Number (PAN) Full magnetic stripe data or equivalent on a chip
Cardholder Name CAV2 / CVC2 / CVV2 / CID
Expiration Date PINs / PIN blocks
Service Code  


The following table illustrates commonly used elements of cardholder and sensitive authentication data, whether storage of each element is permitted or prohibited, and whether each data element must be protected.  This table is not exhaustive, but is presented to illustrate the different types of requirements that apply to each data element.

    Data Element Storage Permitted Render Stored Account Data Unreadable per Requirement 3.4
Account Data Cardholder Data Primary Account Number (PAN) Yes Yes
Cardholder Name Yes No
Service Code Yes No
Expiration date Yes No
Sensitive Authentication Data Full Magnetic Stripe Data No Cannot Store
CAV2 / CVC2 / CVV2 / CID No Cannot Store
PIN / PIN Block No Cannot Store
PCI Definitions

Reviewed 2024-04-02