Question 1

What is PCI DSS?

Accepted Answer

PCI DSS is the Payment Card Industry Data Security Standard, maintained by the PCI Security Standards Council. It defines security requirements for organisations that store, process or transmit cardholder data.

Question 2

Who must comply with PCI DSS?

Accepted Answer

PCI DSS applies to merchants, service providers, processors and any organisation that stores, processes or transmits cardholder data or sensitive authentication data, regardless of size or transaction volume.

Question 3

What is the CDE?

Accepted Answer

The cardholder data environment is the people, processes and technologies that store, process or transmit cardholder data or sensitive authentication data, as well as any connected or security-impacting systems.

Question 4

What are the 12 requirements?

Accepted Answer

PCI DSS defines 12 top-level requirements covering network security, data protection, vulnerability management, access control, monitoring, testing and information security policy, grouped into six control objectives.

Question 5

What is PCI DSS v4.0?

Accepted Answer

PCI DSS v4.0 is the current version of the standard. It introduces the Customized Approach, updates authentication requirements, strengthens monitoring and adds requirements around scripts, phishing and targeted risk analysis.

Question 6

What is a ROC and an SAQ?

Accepted Answer

A Report on Compliance is a detailed report produced by a QSA or ISA documenting the assessment. Self-Assessment Questionnaires are shorter forms for eligible merchants and service providers.

Question 7

What is the Customized Approach?

Accepted Answer

The Customized Approach in v4.0 allows organisations to meet the intent of a requirement using alternative controls that are justified and documented through a targeted risk analysis.

Question 8

What is tokenisation?

Accepted Answer

Tokenisation replaces cardholder data with non-sensitive tokens that cannot be used outside the context of a specific merchant or acquirer, reducing PCI DSS scope significantly.

Question 9

What are compensating controls?

Accepted Answer

Compensating controls are alternative controls used when an organisation cannot meet the original requirement due to legitimate and documented technical or business constraints, subject to strict criteria.

Question 10

How does Basenorm support PCI DSS?

Accepted Answer

Basenorm centralises PCI DSS scope, controls, evidence and QSA collaboration, with mappings to ISO 27001 and NIST for control reuse and continuous compliance.

PCI DSS Compliance
for Cardholder Data Environments

CDE Scoping and Segmentation

12 PCI DSS Requirements

Cardholder Data Environment

The 12 PCI DSS Requirements

QSA Collaboration and Continuous Compliance

Quarterly Scan & Pen Test

Ready to operationalise PCI DSS?

Frequently Asked Questions

PCI DSS Compliancefor Cardholder Data Environments

CDE Scoping and Segmentation

12 PCI DSS Requirements

Cardholder Data Environment

The 12 PCI DSS Requirements

QSA Collaboration and Continuous Compliance

Quarterly Scan & Pen Test

Ready to operationalise PCI DSS?

Frequently Asked Questions

What is PCI DSS?

Who must comply with PCI DSS?

What is the cardholder data environment?

What are the 12 PCI DSS requirements?

What changed in PCI DSS v4.0?

What is the difference between a ROC and an SAQ?

What is the Customized Approach?

How can tokenisation and segmentation reduce scope?

What about compensating controls?

How does Basenorm support PCI DSS?

Related FAQ Topics

PCI DSS Compliance
for Cardholder Data Environments