pci-dss-compliance

# PCI DSS Compliance Planning

Comprehensive guidance for Payment Card Industry Data Security Standard compliance before development begins.

## When to Use This Skill

- Building e-commerce or payment processing systems
- Integrating with payment gateways or processors
- Designing scope reduction strategies (tokenization, P2PE)
- Selecting appropriate SAQ for your business
- Preparing for PCI DSS assessments

## PCI DSS Fundamentals

### Cardholder Data Elements

| Data Element | Description | Storage Permitted? | Protection Required |
|--------------|-------------|-------------------|---------------------|
| **PAN** | Primary Account Number (16 digits) | Yes, if protected | Render unreadable |
| **Cardholder Name** | Name on card | Yes | Protect per requirement |
| **Service Code** | 3-4 digit code | Yes | Protect per requirement |
| **Expiration Date** | MM/YY | Yes | Protect per requirement |
| **CVV/CVC** | Card verification value | **NEVER** after auth | N/A - never store |
| **PIN/PIN Block** | Personal identification | **NEVER** after auth | N/A - never store |
| **Full Track Data** | Magnetic stripe data | **NEVER** after auth | N/A - never store |

### The 12 Requirements (PCI DSS 4.0)

```text
Goal 1: Build and Maintain a Secure Network and Systems
  1. Install and maintain network security controls
  2. Apply secure configurations to all system components

Goal 2: Protect Account Data
  3. Protect stored account data
  4. Protect cardholder data with strong cryptography during transmission

Goal 3: Maintain a Vulnerability Management Program
  5. Protect all systems and networks from malicious software
  6. Develop and maintain secure systems and software

Goal 4: Implement Strong Access Control Measures
  7. Restrict access to cardholder data by business need-to-know
  8. Identify users and authenticate access to system components
  9. Restrict physical access to cardholder data

Goal 5: Regularly Monitor and Test Networks
  10. Log and monitor all acce