<img alt="" src="https://secure.badb5refl.com/165368.png" style="display:none;">

PCI DSS Compliance Simplified

Recommendations to Help You Build, Manage, and Report Your PCI DSS Compliance

PCI Dashboard with Dials

Understanding PCI DSS

The PCI Security Standards Council (PCI SSC) has created more than 250 technical and operational requirements to protect credit card data known as Payment Card Industry Data Security Standards (PCI DSS).

PCI DSS Credit Card Shopping

PCI DSS standards form a comprehensive cybersecurity framework and outline best practices your organization should implement to protect sensitive cardholder data from being stolen and misused by attackers.

If your organization accepts, stores, processes, or transmits credit card information, you are subject to compliance.

Whether you’re new to PCI compliance or you’re wanting to streamline and mature your existing framework and procedures, you’ll find this page a great resource for all of your PCI DSS needs.

What You’ll Discover

Simplify PCI DSS Compliance

A cybersecurity framework management solution can help you create, manage, track, and report on PCI DSS compliance measures with ease.

Learn More

Understanding PCI Compliance

With more than 251 sub-controls, meeting PCI standards is challenging. This guide outlines how to develop a framework and mature your program.

Learn More

Who Needs PCI Compliance?

Regardless of industry, if your organization accepts, stores, processes, or transmits credit card information, you are subject to PCI compliance.

Learn More

Understanding PCI DSS Controls

To achieve PCI DSS compliance your organization must follow and meet all of these 12 controls established by PCI SSC.

Learn More

Steps for PCI Compliance

While individual payment card companies set PCI compliance regulations, PCI SSC offers recommendations on ways to meet compliance objectives.

Learn More

Mapping Compliance Frameworks

PCI DSS and NIST’s Cybersecurity Framework have a common goal—to protect sensitive card data and improve data security.

Learn More

PCI DSS Merchant Compliance

All PCI DSS merchants are categorized into four compliance levels based on transaction volume during a 12-month time period.

Learn More

PCI Compliance Blog Snapshots

Wondering how to begin your PCI compliance journey? Check out “Quick Tips for PCI Compliance” and other blogs for support.

Learn More

PCI Compliance Webinars

With 12 requirements and hundreds of sub-controls, prep for a PCI assessment is extensive. Check out “Secrets to Passing a Cybersecurity Audit” for help.

Learn More

Frequently Asked Questions

Have any questions about PCI DSS compliance? This PCI frequently asked questions resource is a great place to start.

Learn More

PCI Marketplace

Searching for tools, guidance, and assistance with PCI DSS? Try the PCI Marketplace.

Learn More

Apptega for PCI Compliance

Apptega unites your people, processes, technologies and vendors—in one place—to help you manage your PCI compliance framework with ease.

Learn More

What is PCI Compliance?

PCI has almost 100 security elements, or 100 separate projects, that should be documented, staffed, managed, and solved all together. Apptega is a cybersecurity framework helps you organize your entire program—who’s accountable, what your policies are, when you need to complete tasks, how much you’re spending, and if you’re on track, including real-time scoring down to the sub-control level.

Companies across all industries use Apptega to implement and report PCI DSS compliance. With ever-changing regulations and evolving business conditions, Apptega will help be prepared for your next audit and customer inquiries.

PCI Compliance and Organizational Accountability

Meeting or exceeding PCI DSS shows your customers, partners, and insurers that you have a robust program to protect cardholder data.

Your organization can emphasize how well you meet these compliance standards by completing an assessment from an independent qualified security assessor (QSA) who can certify that your organization’s existing security procedures meet framework requirements. An approved scanning vendor (ASV) can validate if your vulnerability scan practices meet PCI scan requirements.

If you successfully meet those requirements, your organization can receive an Attestation of Compliance report, which you must review each year.

If you are not required to submit a Report on Compliance (ROC), you can complete a self-assessment questionnaire to self-assess how well you’re meeting compliance standards.

Failing to meet PCI compliance standards can have a range of negative consequences including significant financial penalties, potential risk of data breaches, and damage to your brand and reputation.

Simplify Your PCI DSS Compliance with Apptega

You can easily build, manage, and report your PCI DSS compliance procedures and overall cybersecurity program within a cybersecurity management software solution like Apptega. Say goodbye to complex GRCs, spreadsheets, and word processing documents and say hello to a single program that will enable you to map all your cybersecurity frameworks in one place.

PCI Dashboard with Dials

Here’s a quick overview of how it works:

  • Log into the solution and select the “PCI DSS framework” option.
  • Use the questionnaire process to complete an initial assessment of your readiness.
  • Apptega will instantly design your entire program.
  • If you are using additional cybersecurity frameworks such as NIST, SOC 2, ISO and others, you can use the Harmony capability in Apptega to automatically crosswalk all frameworks to minimize your compliance overhead.
  • From there, you can manage your PCI compliance program including real-time compliance scoring, task management, budgeting, collaboration, and more.
  • Finally, generate one-click reports for audits, board meetings, and customer requests.

Understanding PCI Compliance

When cyber criminals began targeting credit card data in the late 1990s, industry professionals quickly understood they needed to work together to create standards to help protect this sensitive data from would-be attackers. From there, the idea of a credit card security framework was borne.

The first version of the PCI DSS framework unveiled in 2001 was representative of cybersecurity frameworks used by a variety of companies in the credit card industry. The most recent version, represents a unification of the industry’s technical and operational requirements to protect cardholder data.

PCI Compliance Guide

There are 12 core requirements and 251 sub-controls that comprise PCI DSS, including:

  • Firewall configurations
  • Changing vendor-supplied defaults
  • Protection of stored data
  • Data transmission encryption
  • Use of anti-virus software
  • Developing and maintaining secure systems
  • Data access restrictions
  • Identification & authentication requirements
  • Physical access restrictions
  • Data access tracking and monitoring
  • Tests of security systems
  • Creating and maintain a security policy

PCI DSS Compliance Video Demo

Managing PCI DSS compliance is challenging. With more than 12 requirements and 251 sub-controls, many organizations just aren’t sure where to begin. Others have built their programs from scratch and struggle with updates, improvements, gap analyses, and responding to audits because they lack consistency and reliability with how they document their compliance procedures.

If your organization still uses a complex GRC, spreadsheets, or static word processing documents to manage your PCI compliance framework, you may feel frustrated and inefficient. But you don’t have to.

PCI DSS Video Demo Image

"A cybersecurity management platform can help your organization—large or small—more accurately and efficiently report on PCI DSS compliance, whether you’re just getting started or you’ve been managing PCI since its release." - Billy Norwood, 

In this video demo, you’ll learn more about how a cybersecurity framework solution can help you:

  • Prepare for your next audit
  • Track and manage all of your tasks, risks, and controls
  • Simplify your program management
  • Monitor your compliance
  • Generate reports that are easy to understand by all your key stakeholders

Leap Credit Case Study

Leap Credit LLC provides a variety of credit services for customers, including tools that enable clients to quickly apply for and get approval on short-term loans. The company’s loan management platform can write loans within six seconds and can fund those loans within five minutes. In less than a year, the company grew from operating in one state to eight.

With that quick growth, the company was suddenly required to comply with a broad range of regulatory standards, including Payment Card Industry Data Security Standards, and prove it had proper controls in place to meet all of those standards.

Leap Credit Case Study image
 "Before its growth, Leap Credit used spreadsheets to manage compliance but soon found itself in need of a better and more efficient solution. Enter Apptega." - Desiree Davis, Operations Manager
This case study explores how Leap Credit implemented Apptega to:
  • Evaluate cybersecurity vulnerabilities within the organization and record progress on remediation efforts
  • Encourage collaboration across multiple departments such as human resources, legal, operations, and accounting
  • Easily report metrics to executives and stakeholders

Want to learn how they did it? Download the Leap Credit case study for the full story.

Download Case Study

What Our Customers Are Saying

“Cybersecurity is an ongoing program, not a one-time project. With dozens of Storage Post retail locations requiring continuous PCI compliance, Apptega organizes our entire program in one place, giving us incredible efficiencies.”
Jackson Wilson - CIO, Storage Post

Should Your Organization Be PCI Compliant?

Regardless of industry, if your organization accepts, stores, processes, or transmits credit card information, you are subject to PCI compliance. Based on the industry you’re in, here are a few ways a cybersecurity and compliance platform can help you manage your PCI DSS compliance framework:


Maintain your professional reputation while keeping your clients’ financial data secure.


Cyber-attacks on the healthcare industry are on the rise, so provide your patients with peace of mind with PCI-compliant data security standards.


Nonprofit agencies process thousands of credit cards per year, so it’s crucial to include PCI DSS compliance standards in your overall security program.

Energy & Utilities

Demonstrate that your company maintains the highest standards for financial data security.

Dining, Travel, & Leisure

Protect your brand and reputation by ensuring you’re protecting your customers’ credit card information.

Internet & Technology Providers

Receive and maintain credit card data with confidence while protecting your brand and company reputation.

Financial Services & Insurance

As heavily-regulated sectors, it's imperative you demonstrate that you have the right security protocols in place.

Professional Services

Safeguard your clients' credit card information and protect your brand and reputation.

Other Industries

Include PCI DSS compliance as your part of insurance plans and protection against data theft.

PCI Compliance Simplified

With Apptega, organizations of all sizes are saving time and money and eliminating PCI DSS compliance frustrations. Apptega is a comprehensive platform that enables you to build, manage, and report your cybersecurity program’s success, including a variety of compliance frameworks.

PCI Scoring Trend History

Here are some of its core benefits:

  • Quickly complete questionnaire-based assessments and use Autoscoring to pinpoint program gaps
  • Reduce overhead of aligning with multiple frameworks
  • Promote accountability and accelerate adoption
  • Streamline implementation and expansion
  • Reduce the risk of audit findings and the resulting cost of remediation
  • Improve customer retention
  • Reduce the cost of cybersecurity risk assessments
  • Rely on our award-winning customer support and services teams
Learn More

Understanding PCI DSS Controls

The PCI Security Standards Council was formed in 2006, representing credit card industry leaders American Express, MasterCard, Discover, Visa, and JCB International. Together, they draw on industry expertise and best practices to develop standards to protect sensitive credit card data. PCI DSS represents those standards and creates a framework organizations can implement to protect cardholder information.

This framework represents 251 requirements organized into 12 core areas. These 12 requirements are “controls.” To achieve compliance you must demonstrate you meet these requirements and successfully pass an assessment from a qualified security assessor. Download the PCI DSS compliance guide for a quick look at those 12 controls and what they mean for compliant organizations.

Build and Maintain a Secure Network

  • Firewall Configurations
    Install and maintain a firewall configuration to protect all cardholder data
  • System Defaults Management
    Ensure vendor-supplied defaults are changed and unnecessary default accounts are disabled before installing systems on your network

Protect Cardholder Data

  • Stored Cardholder Data Protection
    Use industry-accepted algorithms to encrypt stored cardholder data and limit data retention time.
  • Encrypt Cardholder Data
    Incorporate encrypted transmissions for sending cardholders’ primary account numbers (PAN) over public and open networks.

Create and Maintain a Vulnerability Management Program

  • Anti-virus Software
    Use and regularly update anti-virus software or programs, including use on all systems vulnerable to malware, breaches, compromise, or attacks. Make sure your point-of-sale (POS) and other third-party vendors also employ updated anti-virus software.
  • Secure Systems and Applications
    Keep your systems and applications updated with the latest patches and security fixes so hackers cannot penetrate security vulnerabilities.

Implement Strong Access Control Measures

  • Restrict Access to Cardholder Data
    Maintain a need-to-know policy for cardholder data, including a role-based access control (RBAC) system.
  • ID Management
    Make sure every person with computer access has a unique, complex, and detailed ID.
  • Restrict Access to Cardholder Data
    Restrict physical access to cardholder data. Don’t keep sensitive files in the open, and always maintain a current list of authorized payment device users.

Regularly Monitor and Test Networks

  • Track and Monitor Networks
    Track and monitor all access to network resources and cardholder data. For example, install log management technologies to monitor access and review logs daily.
  • Test Security Systems
    Regularly test security systems and processes. For example, plan penetration tests and conduct ongoing vulnerability scans.

Maintain an Information Security Policy

  • Information Security Policy
    Keep updated documentation of your policies and procedures. They can be used as evidence for compliance proof. Your policy should address information security for employees and contractors.

Steps for PCI DSS Compliance

While the Payment Card Industry Security Standards Council manages PCI standards, each credit card company has leeway to enforce its own compliance measures. While the payment card company’s requirements should guide your compliance procedures, here are some basic steps, as outlined by PCI SSC, you can take toward compliance.

  • Determine Scope
    Determine which of your devices, systems, components, and networks are in scope for PCI DSS

  • Assess Compliance
    Assess compliance by completing the testing steps determined for each PCI DSS requirement

  • Complete Reports

    Complete (or have your assessor complete) required reports, including documenting all controls

  • Complete AOC
    Complete an Attestation of Compliance (AOC)

  • Submit Self-assessment
    Submit your self-assessment questionnaire, AOC, report on compliance, ASV scan report, and other documents to your acquirer or payment brand requestor

  • Remediate Gaps
    If gaps are discovered, implement actions to remediate requirements and then complete an updated report

How to Map PCI DSS to the NIST Cybersecurity Framework

Many organizations in a variety of industries rely on the National Institute of Technology’s (NIST) Cybersecurity Framework to develop their cybersecurity programs and then mature them over time. The NIST framework provides a solid foundation for cybersecurity, and coupled with PCI DSS, they share common goals—to protect sensitive data and improve data security.

PCI + NIST CSF Harmonized Dashboard

Mapping Made Simple

If you already have the NIST Cybersecurity Framework in place, you may be curious to know if you can map PCI DSS to it? The answer is, yes! Aligning the two can help you align your organization’s overall cybersecurity and compliance objectives and create a better understanding the effectiveness of your security procedures.

Apptega's Intelligent Framework Mapping, known as Harmony, allows you to automatically crosswalk and consolidate all shared  controls, sub controls, resources and activities across multiple frameworks within your program. With this powerful capability, you can significantly improve efficiency and reduce overhead.

The PCI Security Standards Council created an in-depth guide that outlines how to map PCI DSS v3.2.1 to NIST’s Cybersecurity Framework v1.1.

PCI DSS Merchant Compliance Levels

Merchant Level 1
Merchant Level 2
Merchant Level 3
Merchant Level 4

Merchant Levels

All PCI merchants are classified into one of four compliance levels. These levels are based on credit or debit card transaction volume during a 12-month period. This includes the transaction volume for all credit, debit, and prepaid transactions.

Merchant Level 1

Merchant Level 1

Any merchant—regardless of acceptance channel—processing more than 6 million credit or debit card transactions per year. Level 1 merchants should conduct an annual internal audit and each quarter should have an ASV conduct a PCI scan.

Merchant Level 2

Merchant Level 2

Any merchant—regardless of acceptance channel—processing 1-6 million transactions per year. Level 2 merchants should do a self-assessment questionnaire each year and could be subject to a quarterly ASV PCI scan.

Merchant Level 3

Merchant Level 3

Any merchant processing 20,000 to 1 million ecommerce transactions per year. Level 3 merchants should do an annual self-assessment and may be required to have quarterly ASV PCI scans.

Merchant Level 4

Merchant Level 4

Any merchant processing fewer than 20,000 ecommerce transactions per year and all other merchants—regardless of acceptance channel—processing up to 1 million transactions per year. Level 4 merchants should conduct an annual self-assessment questionnaire and may need to have a quarterly ASV PCI scan.

PCI DSS Compliance Blogs


9 Quick Tips for PCI Compliance

PCI compliance is an integral part of ensuring your customers’ credit card information is safe. But how do you ensure you’re compliant and your systems are secure? PCI SSC has 9 tips to help you fight against credit card data breaches. Tips range from using validated payment software for all point-of-sale systems and websites to regularly checking devices to ensuring no one has installed unapproved or malicious software or skimming devices. This blog highlights those tips and takes a deeper dive into PCI DSS from a broad scope, including compliance requirements, what happens when you’re not in compliance, and how you can ensure compliance regardless of business phase.

Read More

Why Internal Audit and IT Should Fight Together Against Cyber Breaches

Organizations of all sizes create departmental and data—silos, often fueled by disparate technologies, various schedules, and geographically dispersed teams. Today’s cybersecurity requires cross-collaboration across multiple teams and stakeholders. Internal auditors play an important role in encouraging teams to work together. They help find gaps in your IT and cybersecurity programs to resolve before a breach or before proving program success to an external auditor or assessment. Improving communications between internal audit and IT teams can lead to a thorough security examination of your security and compliance programs to better mitigate risks and improve your security posture.

Read More

SOC 2 CIS, NIST, ISO 27001, PCI and more. How do you choose?

Because of an increasing number of data breaches and cyber-attacks across all industries, more organizations are investing time, resources, and talent into building robust and resilient cybersecurity and compliance programs. While some work with outside teams, many build their programs on-site using a variety of security frameworks to help protect their systems and data. From SOC2 to NIST, from ISO to PCI, which security framework is right for you? This blog takes a quick look at 11 different security frameworks that are applicable across many industries and outlines what makes each unique and highlights the potential benefits each can add to your cybersecurity program.

Read More

PCI DSS Compliance Webinars

How to Choose Which Cybersecurity Framework to Follow

How to Choose Which Cybersecurity Framework to Follow

When it comes to creating compliance and cybersecurity programs, there are a number of frameworks you can choose from, or you can draw on the best practices of several, to construct a unique program that works best for your organization. But if you’re new to this, how do you know which one to choose? This on-demand webinar will give you an overview of more than 20 major frameworks, talk about similarities and differences in some, and then outline how you can manage multiple frameworks within a single platform for unprecedented visibility and insight.

Watch Now
Secret to Passing a Cybersecurity Audit

Secrets to Passing a Cybersecurity Audit: An Auditor's Perspective

It’s one word that makes teams across industries hold their collective breath: audit. That’s because audit preparation is time-consuming and resource-depleting, and pulls your team members away from daily tasks so you have everything ready when your audit begins. In this on-demand webinar, learn from industry professionals who’ve been involved in audits at organizations around the globe. They’ll share pitfalls and tips to help you avoid them, including recommendations to mitigate risks for a successful audit. You’ll also learn new approaches to engage with auditors and provide them the with the data they need that supports your success.

Watch Now

Companies on the Journey to PCI Compliance

PCI Compliance Made Easy with Apptega

PCI has almost 100 security elements, or 100 separate projects, that should be documented, staffed, managed, and solved all together. Apptega is a cybersecurity framework helps you organize your entire program—who’s accountable, what your policies are, when you need to complete tasks, how much you’re spending, and if you’re on track, including real-time scoring down to the sub-control level.

Companies across all industries use Apptega to implement and report PCI DSS compliance. With ever-changing regulations and evolving business conditions, Apptega will help be prepared for your next audit and customer inquiries.

PCI Design Dashboard

How to Build Your PCI Framework with Apptega

  • Select from existing industry cybersecurity and privacy frameworks or create your own consolidated framework with configurable controls
  • Manage multiple cybersecurity frameworks in one place
  • Access real-time scoring, task management, calendar events, collaboration, budgets and vendor management all in one solution
  • Build, manage, and report on all your cybersecurity process easily through a series of apps representing important controls within your program


PCI Dashboard with dials

With Apptega, You'll Have Access To...

  • Simplified management of your vendor ecosystem
  • Granular tracking for specific frameworks or policies
  • Easy-to-understand dashboards to help you quickly identify gaps and improve your security posture
  • Questionnaire-based surveys for compliance assessments
  • Preset checklists
  • Policy and plan templates
  • Audit-ready compliance reports
  • Certified cybersecurity professionals for additional support


PCI DSS Marketplace

PCI DSS Marketplace

Searching for tools, guidance, and assistance with PCI DSS compliance?

The PCI Marketplace in CyberXchange is mapped to all the controls defined in the PCI DSS framework. For each of your gaps or compliance deficiencies, you can instantly find solutions mapped to your specific needs. Guesswork is eliminated. The research is already done for you.

Join thousands of CISOs, CIOs and other cyber professionals who are already finding perfect-fit solutions.

PCI Frequently Asked Questions

What is PCI DSS?
PCI DSS is an abbreviation for Payment Card Industry Data Security Standards. These standards are technical and operational requirements established by the PCI Standards Council (PCI SSC) to protect cardholder data. Any organization that accepts stores, processes, or transmits credit card information must meet PCI DSS standards. There are also requirements that directly affect software and app developers (Payment Application Data Security Standard (PA-DSS)), as well as those that create devices used for credit card transactions (PIN Transaction Security (PTS) requirements).PCI DSS sets six core goals achieved through 12 individual requirements. While PCI SSC sets the security standards, each credit card brand determines compliance, validation levels, and enforcement. PCI DSS compliance is assessed by qualified security assessors (QSAs). Approved scanning vendors (ASVs) validate PCI DSS vulnerability scan requirements. The first version of PCI DSS debuted in 2001, representing best practices and frameworks in use by the industry’s major credit card companies. The most current version is v3.2.1.
What is PCI SSC?
PCI SCC is an abbreviation for the Payment Card Industry Security Standards Council. In 2006, American Express, Discover, MasterCard, Visa, and JCB International united to found the council. As a result, each credit card company includes PCI DSS in their individual data security compliance requirements. PCI SSC guides creation of PCI DSS with a mission to “enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders.” Learn more about PCI SSC at https://www.pcisecuritystandards.org/about_us.
What is cardholder data?
Cardholder data, according to PCI SSC, is at a minimum the full primary account number (PAN) of a credit card or the full PAN along with any of these: cardholder name, expiration date, or service code. PCI SSC also requires protection of security-related information including sensitive authentication data such as the magnetic stripe data, chip data, PINs, PIN blocks, card validation codes, card validation values, and more.
What does it mean to be PCI DSS compliant?
To be PCI DSS compliant, any organization that accepts, stores, processes, or transmits credit card data must follow and adhere to all of the Payment Card Industry Data Security Standards, including its six goals, 12 core requirements, all of its base requirements, and hundreds of test procedures.
Who is subject to PCI DSS compliance?
Any organization, regardless of size or industry, that accepts, stores, transmits, or processes cardholder data is subject to PCI DSS compliance.
If my organization uses third-party payment processors, do they have to be PCI DSS compliant?
Yes. As with many cybersecurity standards, if your organization uses third-party processors, PCI DSS applies to each of them. Utilizing third-party processors that are PCI DSS compliant helps reduce your risks for an potential data breach. While you should always ensure third-party compliance, don’t stop there. Always look down your supply chain. Do your vendors use other vendors that may access you cardholder data? If yes, you will want to make sure they’re compliant too to help reduce your risks and exposures.
What’s the purpose of PCI DSS?
The primary purpose of PCI DSS is to protect sensitive cardholder data and reduce the likelihood of a data breach and risks associated with the loss of credit card information. Payment Card Industry Data Security Standards outline how you can prevent potential attacks or breaches, how these attacks can be detected within your systems, and what you should do in the event of a breach. In addition to reducing risks, being PCI DSS compliant builds trust with your customers, key stakeholders, and vendors. It demonstrates that you are taking proactive and industry-approved actions to keep their sensitive data safe.
Who uses PCI DSS?
If your organization, regardless of size or industry, accepts, stores, transmits, or processes cardholder data, then you should rely on PCI DSS to help you protect that data and reduce risks related to breaches and improper access to cardholder information.
What is covered by PCI DSS?
PCI DSS essentially covers all of the technical and operational parts of your organization that are connected to or include credit cardholder information.
Is PCI DSS a law?
No. PCI DSS is a not a federal law. It is a set of standards created by the Payment Card Industry Security Standards Council to help protect cardholder information and reduce the potential of a breach. While the government does not mandate PCI DSS compliance, some states include some PCI DSS requirements in their credit card protect laws. Although not a law itself, PCI DSS is part of merchants’ contractual agreements with credit card companies.
What happens if you are not PCI compliant?
PCI compliance violations can create a range of financial and other penalties for organizations. In general, payment brands can choose to fine the merchant banks or acquiring financial institution that processes card transactions, between $5,000 and $100,000 per month for violations. Banks often pass these fines along and they end up directly affecting merchants. In the event of violations, a bank may choose to terminate its relationship with a merchant or impose higher transaction fees.
What are the 4 PCI DSS compliance levels?
The four PCI compliance levels are based on credit or debit card transaction volume during a 12-month period. This includes the transaction volume for all credit, debit, and prepaid transactions. Organizations can use these levels to determine what they need to do to be PCI compliant. Level 1 is for merchants that process more than 6 million credit or debit card transactions each year. Level 2 is one to 6 million transactions each year. Level 3 is 20,000 to 1 million annual transactions. Level 4 is fewer than 20,000 annual transactions.
What is the most current version of PCI DSS?
The newest version of the Payment Card Industry Data Security Standard is version 3.2. This update addresses new exploits and provides more clarity about how organizations can implement and maintain their PCI DSS controls. The most current version include five new sub-requirements for service providers and two new appendices. PCI SSC retired version 3.1 in 2016.
Is there a PCI compliance framework?
PCI DSS in itself is a compliance framework for credit cardholder data and security. Additionally, if your organization uses the NIST Cybersecurity Framework, you can map your PCI DSS to your NIST framework. Mapping PCI DSS to your NIST Framework can help you align your organization’s cybersecurity and compliance objectives to create a better understanding of your overall security posture.