The **Payment Card Industry Data Security Standard** (**PCI DSS**) is a set of security standards established to protect [[Payment card|payment card]] data and reduce [[Credit card fraud|payment card fraud]] by ensuring that organizations that store, process, or transmit [[Cardholder data|cardholder data]] maintain a secure environment. Developed and maintained by the [[Payment Card Industry Security Standards Council]] (PCI SSC), a body founded in 2006 by the major payment card networks [[Visa Inc.|Visa]], [[Mastercard]], [[American Express]], [[Discover Financial Services|Discover]], and [[JCB International|JCB]], PCI DSS applies to any entity involved in payment card processing, including [[Merchant|merchants]], [[Financial institution|financial institutions]], [[Payment processor|payment processors]], and [[Technology company|technology vendors]]. Compliance with the standard is not mandated by law in most jurisdictions but is contractually required by card network agreements and enforced through fines, restrictions, and reputational consequences for non-compliant entities. PCI DSS is organized around a set of high-level goals addressing network security, data protection, vulnerability management, access control, monitoring, and information security policy. The current version, PCI DSS v4.0, released in 2022, defines twelve core requirements grouped into six control objectives: building and maintaining a secure network and systems, protecting stored and transmitted cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy. Technical controls required under the standard include the use of [[Firewall (computing)|firewalls]], [[Encryption|encryption]] of cardholder data at rest and in transit, [[Anti-malware|anti-malware]] software, restricted access based on [[Principle of least privilege|least privilege]], [[Multi-factor authentication|multi-factor authentication]] for administrative access, and regular [[Penetration test|penetration testing]] and [[Vulnerability scanning|vulnerability scanning]]. Compliance validation requirements vary based on transaction volume and business type, with merchants and service providers categorized into levels that determine whether self-assessment or third-party [[Qualified Security Assessor|qualified security assessor]] (QSA) audits are required. Smaller merchants may complete a [[Self-assessment questionnaire|self-assessment questionnaire]] (SAQ), while large-volume processors must undergo annual on-site assessments by a QSA and quarterly network scans by an [[Approved Scanning Vendor|approved scanning vendor]] (ASV). Despite widespread adoption, PCI DSS compliance has not eliminated payment card breaches, leading to ongoing debate about the standard's effectiveness as a security measure versus a compliance checkbox. The standard continues to evolve in response to emerging threats, with PCI DSS v4.0 introducing greater flexibility in meeting security objectives and strengthening requirements around [[Phishing|phishing]] resistance, [[Cryptography|cryptographic]] agility, and [[E-commerce|e-commerce]] security.