Explain PCI DSS basics: what it protects, who it applies to, and scope reduction.
Short answer
PCI DSS (Payment Card Industry Data Security Standard) is a security standard maintained by the PCI Security Standards Council that applies to any organisation that stores, processes, or transmits cardholder data. It is organised around control objectives covering a secure network, protection of stored cardholder data, vulnerability management, strong access control, monitoring/testing, and an information security policy. Scope is everything in the cardholder data environment (CDE) — so segmentation, tokenisation, and not storing data you don't need are the main ways to shrink scope.
PCI DSS is a contractual standard imposed by the major card brands and maintained by the PCI Security Standards Council. It is not a law, but failing it can mean fines and losing the ability to process cards. Interviewers ask this to confirm you understand scope — the thing that drives most of the cost and pain.
What it protects and who it covers
PCI DSS protects cardholder data (the primary account number and related data) and sensitive authentication data (such as the CVV and full magnetic-stripe/chip data). It applies to any merchant or service provider that stores, processes, or transmits this data — from a corner shop to a global payment processor.
The standard groups requirements under broad goals: build and maintain a secure network, protect stored cardholder data, maintain a vulnerability management program, implement strong access control, regularly monitor and test networks, and maintain an information security policy.
Merchant levels and validation
Merchants fall into levels based on annual transaction volume. Lower-volume merchants typically self-assess with a Self-Assessment Questionnaire (SAQ); high-volume ones need an external Qualified Security Assessor and a Report on Compliance.
Scope reduction
The cheapest data to secure is data you never hold. Key techniques:
- Don't store what you don't need — never retain sensitive authentication data after authorisation.
- Tokenisation — replace card numbers with non-sensitive tokens.
- Segmentation — isolate the cardholder data environment so the rest of the network is out of scope.
Why this matters
A strong answer leads with scope and segmentation, and knows that the CVV must never be stored post-authorisation. That signals someone who can actually lower an organisation's PCI burden, not just describe it.
Likely follow-ups
- Why is the CVV/CVV2 not allowed to be stored after authorisation?
- How does network segmentation reduce PCI DSS scope and assessment effort?
- What is the difference between an SAQ and a Report on Compliance (RoC)?