What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is the global information security standard for organisations that store, process or transmit cardholder data, governed by the PCI Security Standards Council (PCI SSC) — established by Visa, Mastercard, American Express, Discover and JCB. The current version is PCI DSS v4.0 (March 2022), with v3.2.1 retired on 31 March 2024 and v4.0 future-dated requirements effective 31 March 2025.
12 high-level requirements
- Build secure networks: firewalls (R1), no vendor defaults (R2).
- Protect cardholder data: encryption at rest (R3), encryption in transit (R4).
- Vulnerability management: antivirus (R5), secure development (R6).
- Access control: need-to-know (R7), unique IDs (R8), physical access (R9).
- Monitoring: log all access (R10), regular testing (R11).
- Information security policy: documented programme (R12).
Compliance levels
- Level 1: >6M transactions/year — Report on Compliance (ROC) by QSA.
- Levels 2-4: tiered Self-Assessment Questionnaire (SAQ).
- Quarterly ASV scans for all internet-facing systems.
v4.0 key changes
- Customised Approach: alternative to defined controls, requires targeted risk analysis.
- Phishing-resistant MFA: mandatory for all access to cardholder data environment.
- Targeted Risk Analyses: documented basis for frequency-based requirements.
- Increased third-party scrutiny for service providers and shared infrastructure.
Türk uygulamasında
Türk bankaları ve ödeme kuruluşları PCI DSS’i BDDK ve BKM (Bankalararası Kart Merkezi) gereksinimleriyle birlikte uygular. BDDK Bilgi Sistemleri Yönetimi Tebliği, PCI DSS uyumunu örtük olarak şart koşar. Türk e-ticaret/SaaS şirketleri kart verisi işliyorsa PCI DSS gereksinimleri vendor (Stripe, Iyzico, Craftgate) seçimini büyük ölçüde belirler — vendor uyumu out-of-scope yapısı tercih edilir.
Do: use tokenisation and third-party PCI-compliant processors to minimise scope; complete annual SAQ/ROC; implement phishing-resistant MFA before v4.0 deadlines.
Don’t: store full PAN unless absolutely necessary — masking and tokenisation reduce scope and risk.