PCI DSS Requirements Explained: The Complete Compliance Checklist for Developers
A QSA just emailed your team: “Please provide evidence of PCI DSS compliance for your payment application.” You stare at the 300-page standard and think β where do I even start? Right here.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. It was created by the five major card networks β Visa, Mastercard, American Express, Discover, and JCB β through the PCI Security Standards Council (PCI SSC).
PCI DSS isn’t a law, but it’s contractually enforced. If you accept card payments, your acquiring bank requires compliance. Non-compliance can result in fines of $5,000 to $100,000 per month, increased transaction fees, or β worst case β losing the ability to accept card payments entirely.
See it in action: Our PCI Sanitizer demonstrates Requirement 3.4 in practice β masking PANs and sensitive data before they hit your logs.
Also Known As…
PCI DSS goes by several names depending on the context:
| Name | Context |
|---|---|
| PCI DSS | Official standard name |
| PCI compliance | Industry shorthand |
| PCI | Casual abbreviation (technically refers to the council, not the standard) |
| PCI Data Security Standard | Full formal name |
| PA-DSS | Legacy predecessor for payment applications (now replaced by PCI SSF) |
| PCI SSF | Software Security Framework β the modern successor to PA-DSS |
| SAQ | Self-Assessment Questionnaire (how most merchants prove compliance) |
The PCI DSS standard is currently on version 4.0.1 (released June 2024), which replaces version 3.2.1. Version 4.0 introduced significant changes, including a shift toward customized validation alongside the traditional defined approach.
The 12 PCI DSS Requirements at a Glance
PCI DSS is organized into 6 goals containing 12 requirements. This is your compliance checklist:
| # | Requirement | Goal |
|---|---|---|
| 1 | Install and maintain network security controls | Build and Maintain a Secure Network |
| 2 | Apply secure configurations to all system components | Build and Maintain a Secure Network |
| 3 | Protect stored account data | Protect Account Data |
| 4 | Protect cardholder data with strong cryptography during transmission | Protect Account Data |
| 5 | Protect all systems and networks from malicious software | Maintain a Vulnerability Management Program |
| 6 | Develop and maintain secure systems and software | Maintain a Vulnerability Management Program |
| 7 | Restrict access to system components and cardholder data by business need-to-know | Implement Strong Access Control Measures |
| 8 | Identify users and authenticate access to system components | Implement Strong Access Control Measures |
| 9 | Restrict physical access to cardholder data | Implement Strong Access Control Measures |
| 10 | Log and monitor all access to system components and cardholder data | Regularly Monitor and Test Networks |
| 11 | Test security of systems and networks regularly | Regularly Monitor and Test Networks |
| 12 | Support information security with organizational policies and programs | Maintain an Information Security Policy |
These 12 requirements break down into over 300 individual sub-requirements β but as a developer, you only need to focus on the ones that directly impact your code and architecture.
PCI DSS Compliance Levels
Not every merchant has the same compliance burden. The card networks assign compliance levels based on annual transaction volume:
| Level | Annual Transactions | Validation Requirement |
|---|---|---|
| Level 1 | Over 6 million | Annual on-site audit by a QSA + quarterly network scan |
| Level 2 | 1β6 million | Annual SAQ + quarterly network scan |
| Level 3 | 20,000β1 million (e-commerce) | Annual SAQ + quarterly network scan |
| Level 4 | Under 20,000 (e-commerce) or up to 1 million (other) | Annual SAQ + quarterly network scan (recommended) |
Key terms: A QSA (Qualified Security Assessor) is a PCI-certified auditor. An ASV (Approved Scanning Vendor) performs external vulnerability scans. An ISA (Internal Security Assessor) is trained staff who can perform internal assessments.
SAQ Types: Which One Do You Need?
The Self-Assessment Questionnaire you complete depends on how you handle card data:
| SAQ Type | Scenario | Questions |
|---|---|---|
| SAQ A | Card-not-present, fully outsourced (e.g., Stripe Checkout hosted page) | ~30 |
| SAQ A-EP | E-commerce with website that affects security of payment (e.g., redirect to processor) | ~140 |
| SAQ B | Imprint machines or standalone dial-out terminals only | ~40 |
| SAQ B-IP | Standalone PTS-approved terminals, IP-connected | ~80 |
| SAQ C | Payment application connected to internet, no electronic cardholder data storage | ~160 |
| SAQ C-VT | Virtual terminal on isolated computer, no electronic storage | ~70 |
| SAQ D | All other merchants / service providers | ~330 |
| SAQ P2PE | Hardware terminals using a PCI-validated P2PE solution | ~30 |
The golden rule: The less card data you touch, the fewer requirements apply to you.
Deep Dive: Requirements That Matter Most to Developers
Let’s break down the requirements where developers have the most impact.
Requirement 3: Protect Stored Account Data
This is where most developer mistakes happen. The rules are clear about what you can and cannot store:
| Data Element | Storage Allowed? | Protection Required |
|---|---|---|
| PAN (Primary Account Number) | Yes | Must be rendered unreadable (encryption, truncation, hashing, or tokenization) |
| Cardholder name | Yes | Protection required if stored with PAN |
| Service code | Yes | Protection required if stored with PAN |
| Expiration date | Yes | Protection required if stored with PAN |
| Full magnetic stripe data | NEVER | Cannot be stored post-authorization |
| CAV2/CVC2/CVV2 | NEVER | Cannot be stored post-authorization |
| PIN / PIN block | NEVER | Cannot be stored post-authorization |
PAN Masking and Truncation
When displaying PANs, PCI DSS allows showing at most the first 6 and last 4 digits (but not both at once unless there’s a business justification and proper access controls):
function maskPAN(pan) {
const cleaned = pan.replace(/\D/g, '');
if (cleaned.length < 13) return '****';
// Show first 6 and last 4 (requires business justification per PCI DSS 4.0)
// Default safe approach: show only last 4
const lastFour = cleaned.slice(-4);
const masked = '*'.repeat(cleaned.length - 4) + lastFour;
return masked;
}
// Input: 4111111111111111
// Output: ************1111
Try it yourself: Paste a log file containing PANs into our PCI Sanitizer to see compliant masking applied automatically.
Encryption Requirements
If you store PANs, PCI DSS Requirement 3.5 mandates strong cryptography with proper key management:
| Method | PCI Approval | Notes |
|---|---|---|
| AES-256 | Approved | Industry standard for data-at-rest encryption |
| TDES (3DES) | Being deprecated | Still seen in legacy systems; avoid for new development |
| RSA 2048+ | Approved | For key wrapping and transport encryption |
| Tokenization | Approved | Replace PAN with non-reversible token β reduces PCI scope |
| Truncation | Approved | Store only a portion (e.g., last 4); irreversible |
| One-way hash | Approved (with salt) | Irreversible; keyed hashing recommended (HMAC) |
Requirement 4: Protect Data in Transit
Every transmission of cardholder data across open, public networks must use strong cryptography:
// WRONG: HTTP for payment data
fetch('http://api.example.com/charge', {
body: JSON.stringify({ pan: '4111111111111111' })
});
// CORRECT: TLS 1.2+ enforced
fetch('https://api.example.com/charge', {
body: JSON.stringify({ pan: '4111111111111111' }),
headers: { 'Content-Type': 'application/json' }
});
PCI DSS 4.0 explicitly requires TLS 1.2 or higher. Earlier versions (SSL, TLS 1.0, TLS 1.1) are prohibited.
| Protocol | PCI Status |
|---|---|
| SSL 2.0 / 3.0 | Prohibited |
| TLS 1.0 | Prohibited |
| TLS 1.1 | Prohibited |
| TLS 1.2 | Approved (minimum) |
| TLS 1.3 | Approved (recommended) |
Requirement 6: Secure Development Practices
PCI DSS 4.0 significantly expanded Requirement 6 for software development:
Secure Development Lifecycle
| Sub-Requirement | What It Means for Developers |
|---|---|
| 6.2.1 | Develop software securely using industry standards (OWASP, CERT) |
| 6.2.2 | Train developers annually in secure coding for your tech stack |
| 6.2.3 | Review custom code for vulnerabilities before production release |
| 6.2.4 | Use software engineering techniques to prevent common vulnerabilities |
| 6.3.1 | Identify and manage security vulnerabilities via a formal process |
| 6.3.2 | Maintain an inventory of custom and third-party software components |
| 6.4.1 | Protect public-facing web applications against attacks (WAF or code review) |
| 6.4.2 | Manage payment page scripts (new in PCI DSS 4.0!) |
Requirement 6.4.2: Payment Page Script Management
This is brand new in PCI DSS 4.0 and catches many teams off guard. If you have a payment page, you must:
- Inventory all scripts loaded on the payment page (including third-party)
- Justify each script’s presence and business need
- Verify script integrity using Subresource Integrity (SRI) or Content Security Policy (CSP)
- Monitor for unauthorized changes to scripts
<!-- CORRECT: SRI hash ensures script integrity -->
<script src="https://js.stripe.com/v3/"
integrity="sha384-ABC123..."
crossorigin="anonymous"></script>
<!-- CORRECT: CSP header restricts script sources -->
<!-- Content-Security-Policy: script-src 'self' https://js.stripe.com -->
Requirement 8: Strong Authentication
PCI DSS 4.0 raised the bar for authentication:
| Control | PCI DSS 3.2.1 | PCI DSS 4.0 |
|---|---|---|
| Minimum password length | 7 characters | 12 characters (or 8 if system doesn’t support 12) |
| MFA requirement | Admin access to CDE | All access to the CDE |
| Account lockout | After 6 attempts | After 10 attempts (max) |
| Session idle timeout | 15 minutes | 15 minutes (unchanged) |
| Service account passwords | Must be changed periodically | Must be changed periodically + complexity enforced |
Requirement 10: Logging and Monitoring
Every access to cardholder data must be logged. But here’s the catch β your logs themselves must not contain cardholder data:
// WRONG: PAN in log output
logger.info(`Processing payment for card ${cardNumber}`);
// Output: "Processing payment for card 4111111111111111" β PCI VIOLATION
// CORRECT: Masked PAN in logs
logger.info(`Processing payment for card ${maskPAN(cardNumber)}`);
// Output: "Processing payment for card ************1111" β
What must be logged (Requirement 10.2):
| Event | Required Fields |
|---|---|
| Access to cardholder data | User ID, timestamp, action, success/failure |
| Admin actions | User ID, timestamp, what changed |
| Access to audit trails | User ID, timestamp |
| Invalid access attempts | User ID, timestamp, source |
| Changes to authentication mechanisms | User ID, timestamp, before/after |
| System-level events | Event type, timestamp, component |
Clean your logs: Use our PCI Sanitizer to strip PANs, CVVs, and track data from log files before sharing them with support teams or storing them in log management systems.
What Changed in PCI DSS 4.0
PCI DSS 4.0 represents the biggest update to the standard in years. Here are the changes developers need to know:
| Change | Impact |
|---|---|
| Customized approach | You can now design your own controls if they meet the security objective |
| Targeted risk analysis | Organizations define their own frequency for certain controls |
| Script management (6.4.2) | Must inventory and protect payment page scripts |
| MFA everywhere | MFA required for all CDE access, not just admin |
| 12-char passwords | Minimum password length increased from 7 to 12 |
| Authenticated vulnerability scans | Internal scans must be authenticated |
| Encryption key management | Stricter lifecycle controls for cryptographic keys |
| Phishing protection | Technical controls against phishing now required |
Key Deadlines
| Milestone | Date |
|---|---|
| PCI DSS 3.2.1 retired | March 31, 2024 |
| PCI DSS 4.0 effective | March 31, 2024 |
| Future-dated requirements mandatory | March 31, 2025 |
All future-dated requirements are now mandatory β there’s no more grace period.
PCI DSS Compliance Checklist for Developers
Here’s a practical checklist you can use during code reviews and architecture decisions:
Data Handling
- Never store full track data, CVV2, or PIN post-authorization
- Encrypt stored PANs using AES-256 or stronger
- Implement key rotation for encryption keys
- Use tokenization where possible to reduce PCI scope
- Mask PANs in all display output (show last 4 only)
- Purge cardholder data when no longer needed
Network and Transmission
- Enforce TLS 1.2+ for all cardholder data transmissions
- Disable SSL and early TLS in all configurations
- Implement certificate pinning for mobile applications
- Segment the cardholder data environment (CDE) from other networks
Application Security
- Sanitize all user input (prevent SQL injection, XSS)
- Implement Content Security Policy headers on payment pages
- Inventory all scripts on payment pages (Requirement 6.4.2)
- Use SRI hashes for third-party scripts
- Conduct code reviews before each production release
- Keep all frameworks and libraries patched and up to date
Authentication and Access
- Enforce 12-character minimum passwords
- Implement MFA for all access to the CDE
- Assign unique IDs to every user (no shared accounts)
- Implement role-based access control (RBAC)
- Lock accounts after 10 failed login attempts
- Set 15-minute session idle timeout
Logging and Monitoring
- Log all access to cardholder data with user ID and timestamp
- Never log PANs, CVVs, or sensitive auth data in plaintext
- Protect audit logs from modification
- Review logs daily for suspicious activity
- Retain audit logs for at least 12 months (3 months readily accessible)
- Synchronize clocks across all systems using NTP
Scope Reduction: The Developer’s Best Friend
The single most impactful thing you can do for PCI compliance is reduce your scope. Less card data in your environment means fewer requirements apply:
| Strategy | Scope Impact | How It Works |
|---|---|---|
| Tokenization | Major reduction | Replace PANs with non-sensitive tokens; token vault is out of your scope |
| P2PE (Point-to-Point Encryption) | Major reduction | Card data encrypted at terminal, decrypted only at processor |
| Hosted payment page | Major reduction | Redirect to processor’s page (Stripe Checkout, Adyen Drop-in) |
| iFrame integration | Moderate reduction | Payment fields rendered by processor in an iframe on your page |
| Network segmentation | Moderate reduction | Isolate CDE from rest of network; non-CDE systems are out of scope |
| Cloud tokenization | Major reduction | Use provider’s vault (e.g., Stripe tokens, Braintree vault) |
Your Full Environment (without scope reduction):
βββββββββββββββββββββββββββββββββββββββββββββββ
β βββββββ ββββββββββ ββββββββ βββββββββββββ β
β β Web β β App β β DB β β Log β β β ALL in PCI scope
β β Srv β β Server β β Srv β β Server β β
β βββββββ ββββββββββ ββββββββ βββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββ
With Tokenization + Segmentation:
ββββββββββββββββββββ ββββββββββββββββββββββββ
β Non-CDE (out β β CDE (in scope) β
β of scope) β β ββββββββ ββββββββββ β
β βββββββ βββββββ β β βToken β β HSM β β
β β Web β β Log β β β βVault β β β β
β β Srv β β Srv β β β ββββββββ ββββββββββ β
β βββββββ βββββββ β ββββββββββββββββββββββββ
ββββββββββββββββββββ
Common PCI DSS Violations (and How to Fix Them)
These are the issues QSAs find most often during assessments:
| Violation | Requirement | Fix |
|---|---|---|
| PANs in log files | 3.4, 10.3 | Implement log sanitization; use our PCI Sanitizer |
| Storing CVV2 post-auth | 3.3.2 | Purge immediately after authorization; never write to disk |
| SSL/TLS 1.0 still enabled | 4.2.1 | Disable in web server and API gateway configs |
| Default passwords on systems | 2.2.2 | Change all vendor defaults before deployment |
| No MFA for CDE access | 8.4.2 | Deploy MFA solution (TOTP, FIDO2, push notification) |
| Unpatched systems | 6.3.3 | Implement automated patching within 30 days of release |
| No script inventory on payment page | 6.4.2 | Audit all <script> tags; implement CSP + SRI |
| Shared admin accounts | 8.2.1 | Assign unique IDs to every individual |
| Logs not reviewed | 10.4.1 | Implement automated log analysis + daily review process |
| No network segmentation | 1.3.1 | Segment CDE with firewalls; document data flows |
Key Management for PCI DSS
Requirement 3.6 and 3.7 mandate a complete cryptographic key management lifecycle. This is where HSMs become essential:
| Phase | PCI Requirement | Implementation |
|---|---|---|
| Generation | 3.6.1.1 | Use HSM or CSPRNG; minimum AES-256 or RSA-2048 |
| Distribution | 3.6.1.2 | Encrypt keys during transport; use key-encrypting keys (KEKs) |
| Storage | 3.6.1.3 | Store in HSM or encrypted key store; never in application code |
| Rotation | 3.6.1.4 | Rotate at least annually or upon suspected compromise |
| Retirement | 3.6.1.4 | Retire keys that have reached the end of their cryptoperiod |
| Destruction | 3.6.1.5 | Securely destroy using zeroization or cryptographic erasure |
| Split knowledge / dual control | 3.6.1.2 | No single person has full key; require 2+ custodians |
Verify your keys: Use our KCV Calculator to compute Key Check Values β the PCI-approved method for verifying key integrity without exposing the key itself.
PCI DSS for Different Architectures
How PCI scope changes depending on your payment integration:
Direct API Integration
You handle raw card data directly. Heaviest PCI scope.
Customer β Your Server (PAN in memory) β Processor API
- SAQ D applicable
- Full 12 requirements apply
- Annual penetration testing required
- Quarterly ASV scans required
Hosted Payment Page (Redirect)
Customer is redirected to the processor’s page. Lightest scope.
Customer β Processor's hosted page β Processor
β
Your server (token only)
- SAQ A applicable
- ~30 questions
- No card data touches your systems
JavaScript/iFrame Integration
Processor’s JS collects card data within your page. Moderate scope.
Customer β Your page (with processor's iFrame/JS)
β
Card data β Processor directly
Token β Your server
- SAQ A-EP applicable
- ~140 questions
- You must protect your payment page scripts (Req 6.4.2)
What PCI DSS Does NOT Cover
Understanding the boundaries prevents false confidence:
| Misconception | Reality |
|---|---|
| PCI compliance means you’re secure | PCI is a minimum baseline, not comprehensive security |
| Passing a SAQ means you passed an audit | SAQs are self-assessments; only Level 1 requires a formal audit |
| PCI only applies to e-commerce | Any channel that touches card data (POS, MOTO, e-comm) is in scope |
| Outsourcing payments removes all PCI obligations | You still have due diligence requirements for your service providers |
| Compliance is a one-time event | PCI requires continuous compliance β it’s an ongoing program |
| PCI protects against all breaches | PCI reduces risk but cannot prevent every attack vector |
Quick Reference: PCI DSS Terminology
| Term | Definition |
|---|---|
| CDE | Cardholder Data Environment β systems that store, process, or transmit card data |
| PAN | Primary Account Number β the 13-19 digit card number |
| SAD | Sensitive Authentication Data β track data, CVV2, PINs (never store post-auth) |
| QSA | Qualified Security Assessor β PCI-certified auditor |
| ASV | Approved Scanning Vendor β performs external vulnerability scans |
| ROC | Report on Compliance β formal audit report from QSA |
| AOC | Attestation of Compliance β summary document of compliance status |
| SAQ | Self-Assessment Questionnaire β self-evaluation of compliance |
| ISA | Internal Security Assessor β trained internal staff for assessments |
| CIS | Center for Internet Security β provides baseline configuration benchmarks |
| CSP | Content Security Policy β HTTP header controlling script sources |
| SRI | Subresource Integrity β hash-based script verification |
| P2PE | Point-to-Point Encryption β encrypts from terminal to decryption at processor |
| DUKPT | Derived Unique Key Per Transaction β key management for terminals |
Next Steps
Now that you understand PCI DSS requirements and how they impact your payment applications:
- Sanitize your logs with the PCI Sanitizer β see Requirement 3.4 and 10.3 in action
- Verify your keys with the KCV Calculator β PCI-compliant key verification
- Learn HSM fundamentals in our HSM Basics for Developers guide β the backbone of PCI key management
- Understand ARQC/ARPC with the ARQC Calculator β the cryptographic operations behind chip card compliance
- Parse payment messages with the ISO 8583 Studio β see where PAN data lives in Field 2
- Look up response codes in the Reference Database when debugging PCI-scoped transaction flows
- Understand track data in our Magnetic Stripe Track Data Guide β the Sensitive Authentication Data that must never be stored post-authorization
- Compare 3DES vs AES in our 3DES vs AES in Payments guide β understand the encryption algorithms behind PCI Requirement 3.5
This post is part of the ISO 8583 Mastery series. Follow along as we explore payment messaging in depth.
Related Posts
π¬ Discussion
Have a question or feedback? Leave a comment below β powered by GitHub Discussions.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements established by the major card brands to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.
If I use a payment gateway like Stripe, am I automatically PCI compliant?
No. While using a PCI-compliant gateway drastically reduces your compliance scope (especially if using hosted fields or iframes), you are still required to complete an SAQ (Self-Assessment Questionnaire) regarding how your application handles data.
What is the penalty for violating PCI DSS?
Non-compliance can result in monthly fines ranging from $5,000 to $100,000 from the acquiring banks, mandatory forensic audits, and in severe cases, the permanent revocation of your ability to process credit cards.