PCI Security Standards Council — PCI DSS Standards

The Payment Card Industry Data Security Standard (PCI DSS) is a global security framework for any entity that stores, processes, or transmits payment card data (merchants, processors, service providers).

Current version: PCI DSS 4.0.1 — the definitive compliance benchmark as of 2026.

Scope and applicability: Applies to all system components included in or connected to the cardholder data environment (CDE). "Scope" in PCI terms is the set of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data — or that could impact their security.

12 primary requirements (summary):

1. Install and maintain network security controls.
2. Apply secure configurations to all system components.
3. Protect stored account data.
4. Protect cardholder data with strong cryptography during transmission.
5. Protect all systems against malware.
6. Develop and maintain secure systems and software.
7. Restrict access to system components and cardholder data by business need.
8. Identify users and authenticate access.
9. Restrict physical access to cardholder data.
10. Log and monitor all access to system components and cardholder data.
11. Test security of systems and networks regularly.
12. Support information security with organizational policies and programs.

Scope-reduction controls:

• Tokenization: Replace PANs with random tokens so raw card numbers never enter the CDP or marketing pipeline; drastically reduces PCI scope.
• Point-to-point encryption (P2PE): Encrypt at the point of interaction; data remains encrypted until it reaches the payment processor's secure environment.
• Hosted payment pages / iFrames: Offload card capture to a PCI-validated hosted solution so raw PAN data never touches the merchant's servers.
• Network segmentation: Isolate the CDE from the rest of the network; systems outside the CDE are out of scope for PCI DSS audits.

CDP/data-pipeline relevance: Marketing CDPs must not receive, store, or process raw PANs. Best-practice architecture routes payment events to a tokenization vault first; the CDP ingests only tokens, hashed identifiers, or transaction metadata — never card numbers. Confirmed tokenization eliminates PCI DSS scope for the CDP layer entirely.