PCI Security Standards
What is PCI Standard?
PCI Security Standards Overview
PCI Security Standards are developed and maintained by the PCI Security Standards Council to protect payment data throughout the payment lifecycle. The different PCI Standards support different stakeholders and functions within the payments industry.
Some of the PCI Standards are intended for use by organizations involved in payments, such as merchants, service providers, and financial institutions, to use within their own environments. These standards support the implementation of secure practices, technologies, and processes within the organization.
Other PCI Standards are intended for developers, technology vendors, and solution providers wishing to demonstrate that their product or service was designed with security in mind and meets a defined set of security requirements. These standards support the validation and listing of products and services that meet the standard and validation program requirements.
All PCI Security Standards are developed in conjunction with a global network of payments industry stakeholders.
The PCI Security Standards Ecosystem
PCI Data Security Standard (PCI DSS)
The PCI DSS defines security requirements to protect environments where payment account data is stored, processed, or transmitted. PCI DSS provides a baseline of technical and operational requirements designed to protect payment account data. For more details refer to: Requirements and Testing Procudures
Point-to-Point Encryption (P2PE)
The PCI P2PE Standard defines security requirements for P2PE Solutions, P2PE Components, and P2PE Applications to protect payment account data via encryption from the point it is captured in the merchant’s payment device to the point it is decrypted in a solution provider’s or component provider’s environment.
Secure Software
The PCI Secure Software Standard defines security requirements for software vendors and developers to ensure that payment software is securely designed and managed, and the integrity of payment transactions and the confidentiality of payment data that is stored, processed, or transmitted in association with payment transactions is protected.
Secure Software Lifecycle (Secure SLC)
The Secure Software Lifecycle (SLC) Standard defines security requirements for software vendors and developers to ensure security is integrated throughout the entire software lifecycle and that software is secure by design and able to withstand attack.
PTS Point of Interaction (POI)
The PIN Transaction Security (PTS) Point of Interaction (POI) Standard defines security requirements for the characteristics and management of devices used to protect cardholder PINs (personal identification numbers), account data, and other sensitive payment card data at the point of interaction.
Token Service Provider (TSP)
The Token Service Provider (TSP) Standard defines security requirements for Token Service Providers (TSPs) that generate and issue EMV payment tokens, as defined under the EMV Payment Tokenisation Specification Technical Framework.
PIN Security
The PIN Security Standard defines security requirements for the secure management, processing, and transmission of personal identification number (PIN) data during online and offline payment card transaction processing at ATMs and attended and unattended point-of-sale (POS) terminals.
Card Production and Provisioning - Logical
This Standard defines the logical security requirements for the development, manufacture, transport, and personalization of payment cards and their components.
The Card Production and Provisioning Logical Security Requirements are complementary to the Card Production and Provisioning Physical Security Requirements.
Card Production and Provisioning - Physical
This standard defines the physical security requirements for card production and provisioning functions.
The Card Production and Provisioning Physical Security Requirements are complementary to the Card Production and Provisioning Logical Security Requirements.
PCI 3DS Core
The PCI 3-D Secure (3DS) Core Security Standard defines security requirements to protect environments where specific 3DS functions are performed, to enable secure consumer authentication for e-commerce and m-commerce purchases.
PCI 3DS SDK
This standard offers security requirements, assessment procedures, and guidance for 3DS Software Development Kits (SDK), as defined in the EMV 3-D Secure SDK Specification, to help prevent unauthorized card-not-present (CNP) transactions and to protect merchants from CNP exposure to fraud.
Mobile Payments on COTS (MPoC)
PCI Mobile Payments on COTS (MPoC) builds on the existing PCI Software-based PIN Entry on COTS (SPoC) and PCI Contactless Payments on COTS (CPoC) Standards which individually address the security requirements for solutions that enable merchants to accept cardholder PINs or contactless payments, using a smartphone or other commercial off-the-shelf (COTS) mobile device.
Contactless Payments on COTS (CPoC)
This standard offers security requirements for solutions that enable a merchant’s commercial off-the-shelf (COTS) device (for example, phone or tablet) to accept contactless payments without the need for an external contactless reader by leveraging the native NFC capabilities inherent to a COTS device.
Software-based PIN Entry on COTS (SPoC)
This standard offers security requirements for secure mobile payment acceptance solutions that enable transactions with PIN entry on a merchant commercial off-the-shelf (COTS) device (e.g., smartphone or tablet).
PTS Hardware Security Module (HSM)
The PIN Transaction Security (PTS) Hardware Security Module (HSM) Standard defines security requirements for characteristics and management of hardware security modules throughout their lifecycle, to ensure confidentiality and data integrity during activities such as financial transactions and payment card personalization.
Payment Application Data Security Standard (PA-DSS) – Retired
The Payment Application Data Security Standard (PA-DSS) is retired as of 28 October 2022 and has been superseded by the Secure Software Standard and the Secure Software Lifecycle Standard.
