Company / Compliance / PCI-DSS
💳

PCI-DSS Compliance

Payment Card Industry Standard

TRIAS enables merchants, service providers, and financial institutions to achieve PCI-DSS compliance. Protect cardholder data (CHD) and sensitive authentication data (SAD), implement security controls across 12 requirements, and avoid fines ranging from $5,000 to $100,000 per month.

Schedule PCI Demo Learn More
•••• •••• •••• 1234
$100K
Monthly Fines Avoided

Maximum penalty

12/12
Requirements Covered

Complete compliance

100%
CHD Visibility

All cardholder data tracked

Real-Time
Breach Detection

Instant alerts

PCI-DSS Requirements

12 requirements across 6 control objectives

Req 1-2: Secure Network

Install and maintain firewall configuration. Do not use vendor-supplied defaults for system passwords and security parameters.

Req 3-4: Protect Cardholder Data

Protect stored cardholder data. Encrypt transmission of cardholder data across open, public networks.

Req 5-6: Vulnerability Management

Protect systems against malware. Develop and maintain secure systems and applications.

Req 7-8: Access Control

Restrict access to cardholder data by business need to know. Identify and authenticate access to system components.

Req 9-10: Monitoring & Testing

Restrict physical access to cardholder data. Track and monitor all access to network resources and cardholder data.

Req 11-12: Security Policy

Regularly test security systems. Maintain information security policy for all personnel.

TRIAS for PCI-DSS Compliance

Complete data protection for payment card security

01

Cardholder Data Discovery (Req 3)

Automatically discover PAN, CVV2, PIN data across all systems. Identify storage locations, data flows, unencrypted cardholder data.

02

Data Protection Controls (Req 3-4)

Encrypt cardholder data at rest and in transit. Implement strong cryptography, key management. Prevent unauthorized storage.

03

Access Control (Req 7-8)

Restrict access based on business need to know. Unique user IDs, multi-factor authentication, role-based access control.

04

Monitoring & Logging (Req 10)

Track all access to cardholder data. Comprehensive audit trails, automated log review, security event correlation.

12 PCI-DSS Requirements

How TRIAS addresses each requirement

Req 1

Firewalls & Network Security

Network DLP monitors cardholder data flows. Detect unauthorized transmission across network boundaries.

Req 2

Secure Configurations

Monitor for default passwords in files. Detect configuration files containing CHD or credentials.

Req 3

Protect Stored CHD

Discover and classify PAN, track numbers. Auto-encrypt stored cardholder data. Prevent unauthorized storage.

Req 4

Encrypt Transmissions

Monitor email, web, file transfers for unencrypted PAN. Block or encrypt CHD transmissions automatically.

Req 5

Anti-Malware

Integrate with antivirus systems. Prevent malware from accessing or exfiltrating cardholder data.

Req 6

Secure Systems

Monitor for vulnerabilities exposing CHD. Detect insecure code, configuration issues affecting payment data.

Req 7

Restrict Access (Need to Know)

Role-based access control for CHD. Grant access only to authorized personnel based on job function.

Req 8

Unique IDs & Authentication

Track CHD access by unique user ID. Support MFA for administrative access to payment systems.

Req 9

Physical Access

Monitor removable media with CHD. Control USB, printing of cardholder data. Badge integration.

Req 10

Track & Monitor Access

Comprehensive audit logs of CHD access. Who, what, when, where. Automated log review and alerting.

Req 11

Test Security Systems

Support vulnerability scans, penetration testing. Provide evidence of DLP effectiveness during assessments.

Req 12

Information Security Policy

Automated compliance reporting. Policy enforcement. Documentation for PCI assessors and QSAs.

Protected Cardholder Data

Data elements covered by PCI-DSS

Primary Account Number (PAN)

13-19 digit card number. Visa, Mastercard, Amex, Discover. Must be protected when stored, processed, transmitted.

Cardholder Name

Name on card. Combined with PAN creates cardholder data (CHD) requiring protection.

Service Code

3-4 digit code on magnetic stripe. Defines card usage, authorization requirements.

Expiration Date

Card expiration month/year. When combined with PAN, requires PCI protection.

Sensitive Authentication Data (SAD)

CVV2/CVC2/CID, PIN, magnetic stripe data. NEVER store after authorization. Must be encrypted in transit.

Track Data

Full magnetic stripe data from Track 1 or Track 2. Must NEVER be stored after authorization.

PCI-DSS Merchant Levels

Compliance requirements by transaction volume

Level 1 Merchants

6M+ transactions/year

Annual onsite assessment by QSA. Quarterly network scan by ASV. Annual Report on Compliance (ROC).

Level 2 Merchants

1M - 6M transactions/year

Annual Self-Assessment Questionnaire (SAQ). Quarterly network scan by ASV. May require QSA assessment.

Level 3 Merchants

20K - 1M e-commerce transactions/year

Annual Self-Assessment Questionnaire (SAQ). Quarterly network scan by ASV.

Level 4 Merchants

Fewer than 20K e-commerce or 1M total

Annual Self-Assessment Questionnaire (SAQ). Quarterly network scan recommended.

PCI Data Retention Rules

What can and cannot be stored

Allowed to Store

PAN (encrypted), cardholder name, expiration date, service code. Must encrypt PAN, limit retention, secure storage.

NEVER Store

Full magnetic stripe data, CVV2/CVC2/CID, PIN/PIN Block. Prohibited even if encrypted. Delete after authorization.

Retention Minimization

Store only what's needed for business, legal, regulatory requirements. Delete after retention period expires.

Secure Deletion

Render CHD unrecoverable when deleted. Secure wipe, cryptographic erasure, physical destruction of media.

PCI Non-Compliance Penalties

Financial consequences and restrictions

Monthly Fines

$5,000 - $100,000/month

Assessed by card brands for non-compliance. Varies by merchant level, breach history, remediation progress.

Increased Transaction Fees

$0.01 - $0.10 per transaction

Non-compliant merchants pay higher processing fees. Can amount to significant costs for high-volume merchants.

Card Acceptance Termination

Loss of payment processing

Repeated non-compliance or breaches may result in inability to accept major credit cards. Business-ending penalty.

Breach Liability

Millions in damages

Card reissuance costs ($5-10 per card), fraud losses, forensic investigation, legal fees, brand damage, lawsuits.

PCI-DSS Compliance Use Cases

E-Commerce Merchants

Protect online payment data, prevent PAN storage in logs. Secure customer payment information during checkout.

Retail Point-of-Sale

Protect POS systems, payment terminals, receipt data. Prevent cardholder data from leaving secure environment.

Payment Service Providers

Multi-tenant compliance for payment gateways. Protect merchant and consumer payment data across infrastructure.

Call Center Operations

Protect payment data during phone orders. Prevent agents from storing, emailing, or accessing unnecessary CHD.

Achieve PCI-DSS Compliance

Protect payment card data and avoid costly fines with complete PCI-DSS compliance

Schedule PCI Demo Free PCI Assessment PCI Compliance Guide