What is it? What is its purpose?

The PCI DSS (Payment Card Industry Data Security Standards) is a security standard developed and managed by an independent entity created in 2006 by the main international payment systems (Visa Inc., MasterCard, Discover Financial Services, JCB International and American Express). Its purpose is:

Which are the sensitive data of the card?

PCI DSS has the purpose to protect the data of the cardholder and of authentication, considering the following restrictions:

PCI Sensitive data Data elements Storage allowed Making the stored data unreadable, according PCI requirement
No. of the card (PAN) Yes Yes
Cardholder’s name Yes No
Service Code Yes No
Expiration date Yes No
Confidential Authentication 1 Magnetic stripe data 2 No Not able to store, according to PCI requirement
CAV2/CVC2/CVV2/CID 3 No Not able to store, according to PCI requirement
PIN 4 No Not able to store, according to PCI requirement

  1. The encryption data are confidential and must not be stored after authentication (even if encrypted).
  2. Complete tracking data of the magnetic stripe, equivalent data on chip, or in another place
  3. The three or four-digit value printed on the front or on the back of a payment card
  4. The personal identification number inserted by the cardholder during a transaction with a card and/or the block of the encrypted PIN within the transaction message.

Who must perform a PCI certification?

Every merchant must fulfil the PCI security requirements.
To assess which certification level to perform, each merchant must read in www. pcisecuritystandards.org the validation requirements mandatory to each merchant category.
The classification of each category crosses the merchant’s number of annual transactions, the acceptance channel where the transaction occurs and the merchant’s level of risk.
The distinction between the validation requirements and the subsequent proof of compliance required varies according to the level of risk at which the merchant fits.

Level Criterion Proof of compliance
1 Merchants that:

  • Perform more than 6 million transactions per year, independently of the acceptance channel;
  • Have suffered an attack to their computer systems that have compromised his customer’s cards data.
AOC – Attestation of Compliance
2 Merchants that perform between 1 to 6 million transactions per year, independently of the acceptance channel;
3 Merchants that perform between 20 thousand and 1 million e-commerce transactions per year;
  • Prove the business relationship with the certified services provider (listed in www.visaeurope.com and MC), and
  • Present a self-assessment quiz (SAQ Self Assessment Questionnaire)[1]
4 E-commerce merchants that perform less than 20 thousand transactions per year;

How to obtain the PCI certification?

The PCI certification may be performed using a qualified security consultant – QSA (Qualified Security Assessor), that is certified by the international Payment Systems or by an internal security auditor of the merchant – ISA (Internal Security Assessor), that has concluded the ISA training program, developed according to PCI Council criteria:


For more information about PCI DSS, further reading of the websites of the following entities is suggested:
PCI Security Standards Council  -> https://www.pcisecuritystandards.org/
Visa Europe -> https://www.visaeurope.com/receiving-payments/security/
MasterCard -> https://www.mastercard.us/en-us/merchants/safety-security/security-recommendations/site-data-protection-PCI.html
Banco de Portugal – > https://www.bportugal.pt/pt-PT/pagamentos/BoasPraticas/Paginas/Cartoes-de-Pagamento-Comerciantes.aspx

[1] SAQ publicados em www.pcisecuritystandards.org