PCI Security Standards Overview

Our PCI Security Standards

PCI Security Standards are developed and maintained by the PCI Security Standards Council to protect payment data throughout the payment lifecycle. The different PCI Standards support different stakeholders and functions within the payments industry.

Some of the PCI Standards are intended for use by organizations involved in payments, such as merchants, service providers, and financial institutions, to use within their own environments. These standards support the implementation of secure practices, technologies, and processes within the organization.

Other PCI Standards are intended for developers, technology vendors, and solution providers wishing to demonstrate that their product or service was designed with security in mind and meets a defined set of security requirements. These standards support the validation and listing of products and services that meet the standard and validation program requirements.

All PCI Security Standards are developed in conjunction with a global network of payments industry stakeholders.

The PCI Security Standards Ecosystem

standards-ecosystem

This diagram notes applicable PCI Security Standards. Contact payments brands for any related compliance programs.

The PCI Security Standards Ecosystem

The PCI Security Standards Ecosystem

This diagram notes applicable PCI Security Standards. Contact payments brands for any related compliance programs.

The PCI Security Standards

pci-dss.jpg

PCI Data Security Standard (PCI DSS)

The PCI DSS defines security requirements to protect environments where payment account data is stored, processed, or transmitted. PCI DSS provides a baseline of technical and operational requirements designed to protect payment account data.

p2pe.jpg

Point-to-Point Encryption (P2PE)

The PCI P2PE Standard defines security requirements for P2PE Solutions, P2PE Components, and P2PE Applications to protect payment account data via encryption from the point it is captured in the merchant’s payment device to the point it is decrypted in a solution provider’s or component provider’s environment.
ssf.jpg

Secure Software

The PCI Secure Software Standard defines security requirements for software vendors and developers to ensure that payment software is securely designed and managed, and the integrity of payment transactions and the confidentiality of payment data that is stored, processed, or transmitted in association with payment transactions is protected.

ssf-slc-1.jpg

Secure Software Lifecycle (Secure SLC)

The Secure Software Lifecycle (SLC) Standard defines security requirements for software vendors and developers to ensure security is integrated throughout the entire software lifecycle and that software is secure by design and able to withstand attack.
pin-poi.jpg

PTS Point of Interaction (POI)

The PIN Transaction Security (PTS) Point of Interaction (POI) Standard defines security requirements for the characteristics and management of devices used to protect cardholder PINs (personal identification numbers), account data, and other sensitive payment card data at the point of interaction.
tsp.jpg

Token Service Provider (TSP)

The Token Service Provider (TSP) Standard defines security requirements for Token Service Providers (TSPs) that generate and issue EMV payment tokens, as defined under the EMV® Payment Tokenisation Specification Technical Framework.

pin.jpg

PIN Security

The PIN Security Standard defines security requirements for the secure management, processing, and transmission of personal identification number (PIN) data during online and offline payment card transaction processing at ATMs and attended and unattended point-of-sale (POS) terminals.
card-logical.jpg

Card Production and Provisioning - Logical

This Standard defines the logical security requirements for the development, manufacture, transport, and personalization of payment cards and their components.

The Card Production and Provisioning Logical Security Requirements are complementary to the Card Production and Provisioning Physical Security Requirements.

card-physical.jpg

Card Production and Provisioning - Physical

This standard defines the physical security requirements for card production and provisioning functions.

The Card Production and Provisioning Physical Security Requirements are complementary to the Card Production and Provisioning Logical Security Requirements.

3DS-Core.jpg

PCI 3DS Core

The PCI 3-D Secure (3DS) Core Security Standard defines security requirements to protect environments where specific 3DS functions are performed, to enable secure consumer authentication for e-commerce and m-commerce purchases.

3ds-sdk.jpg

PCI 3DS SDK

This standard offers security requirements, assessment procedures, and guidance for 3DS Software Development Kits (SDK), as defined in the EMV® 3-D Secure SDK Specification, to help prevent unauthorized card-not-present (CNP) transactions and to protect merchants from CNP exposure to fraud.
mpoc.jpg

Mobile Payments on COTS (MPoC)

PCI Mobile Payments on COTS (MPoC) builds on the existing PCI Software-based PIN Entry on COTS (SPoC) and PCI Contactless Payments on COTS (CPoC) Standards which individually address the security requirements for solutions that enable merchants to accept cardholder PINs or contactless payments, using a smartphone or other commercial off-the-shelf (COTS) mobile device.
cpoc.jpg

Contactless Payments on COTS (CPoC)

This standard offers security requirements for solutions that enable a merchant’s commercial off-the-shelf (COTS) device (for example, phone or tablet) to accept contactless payments without the need for an external contactless reader by leveraging the native NFC capabilities inherent to a COTS device.
spoc.jpg

Software-based PIN Entry on COTS (SPoC)

This standard offers security requirements for secure mobile payment acceptance solutions that enable transactions with PIN entry on a merchant commercial off-the-shelf (COTS) device (e.g., smartphone or tablet).
hsm.jpg

PTS Hardware Security Module (HSM)

The PIN Transaction Security (PTS) Hardware Security Module (HSM) Standard defines security requirements for characteristics and management of hardware security modules throughout their lifecycle, to ensure confidentiality and data integrity during activities such as financial transactions and payment card personalization.

training-3ds.png

Intended Audience

All entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). This includes all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers.
Photo-3.png

Payment Application Data Security Standard (PA-DSS) – Retired

The Payment Application Data Security Standard (PA-DSS) is retired as of 28 October 2022 and has been superseded by the Secure Software Standard and the Secure Software Lifecycle Standard.

training-3ds.png

Intended Audience

All entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). This includes all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers.