Arrow Payments — PCI DSS v4.x Study Guide

What Is PCI DSS?

PCI DSS (Payment Card Industry Data Security Standard) is an actionable framework for developing a robust payment account data security process, including prevention, detection, and appropriate reaction to security incidents. It was developed to encourage and enhance payment account data security and facilitate the broad adoption of consistent data security measures globally.

⚠️

Why It Matters

84% of data breach caseloads entail payment account data. 93% of data breaches are financially motivated. Vulnerabilities can appear anywhere in the card-processing ecosystem — from POS devices and cloud systems to wireless hotspots and remote access connections.

The 4 Ongoing Steps

Assess

Identify all locations of payment account data, take inventory of all IT assets and business processes, analyze for vulnerabilities, implement/update necessary controls, and undergo a formal PCI DSS assessment.

Remediate

Identify and address any gaps in security controls, fix identified vulnerabilities, securely remove unnecessary payment data storage, and implement secure business processes.

Report

Document assessment and remediation details, and submit compliance reports to the compliance-accepting entity — typically an acquiring bank or payment brands.

Monitor & Maintain

Confirm that security controls continue to function effectively throughout the year. These "business as usual" (BAU) processes should be part of the entity's overall security strategy.

Six Goals, 12 Requirements

1. Build and Maintain a Secure Network and Systems

Req 1: Install and maintain network security controls
Req 2: Apply secure configurations to all system components

2. Protect Account Data

Req 3: Protect stored account data
Req 4: Protect cardholder data with strong cryptography during transmission over open, public networks

3. Maintain a Vulnerability Management Program

Req 5: Protect all systems and networks from malicious software
Req 6: Develop and maintain secure systems and software

4. Implement Strong Access Control Measures

Req 7: Restrict access to system components and cardholder data by business need to know
Req 8: Identify users and authenticate access to system components
Req 9: Restrict physical access to cardholder data

5. Regularly Monitor and Test Networks

Req 10: Log and monitor all access to system components and cardholder data
Req 11: Test security of systems and networks regularly

6. Maintain an Information Security Policy

Req 12: Support information security with organizational policies and programs

Two Validation Approaches in v4.x

Defined Approach

Traditional

The traditional method. Entity implements controls that meet stated requirements; assessor follows defined testing procedures. Best for those wanting clear direction or who already have controls in place. Compensating Controls are an option here when legitimate technical or business constraints prevent meeting a requirement as written.

Customized Approach

Flexible

Allows entities to implement innovative controls that meet the Customized Approach Objective without strictly following the defined requirement. Intended for risk-mature entities. The assessor develops unique testing procedures. Compensating Controls are NOT an option with this approach.

💡

Key Distinction

Compensating Controls = entity is unable to meet the requirement as stated (constraint exists). Customized Approach = entity chooses to meet the requirement differently. These are fundamentally different concepts.

Build & Maintain a Secure Network

Network Security

Install and maintain network security controls

NSCs (firewalls, virtual devices, cloud access controls, SDN) control traffic between network segments. Covers defining, configuring, restricting CDE access, controlling trusted/untrusted connections, and mitigating risks from dual-homed devices.

Secure Config

Apply secure configurations to all system components

Change default passwords, remove unnecessary software/functions/accounts, disable unnecessary services. Covers system components, vendor defaults, and wireless environments. Reduces attack surface by eliminating easy entry points.

Protect Account Data

Data Storage

Protect stored account data

Don't store data unless necessary. SAD must NEVER be stored after authorization. PAN must be rendered unreadable (encrypted). Covers data retention, PAN masking, cryptographic key management, and key lifecycle processes.

Transmission

Protect CHD with strong cryptography during transmission

PANs must be encrypted during transmission over untrusted/public networks. Addresses misconfigured wireless and legacy encryption vulnerabilities. PAN can be protected by encrypting the data, the session, or both.

Maintain a Vulnerability Management Program

Malware

Protect all systems from malicious software

Malware includes viruses, worms, Trojans, ransomware, keyloggers, rootkits. Requires anti-malware prevention/detection, active/monitored mechanisms, and anti-phishing protections for users.

Secure Dev

Develop and maintain secure systems and software

Install critical security patches. Bespoke (third-party built) and custom (internally built) software must be developed securely. Covers vulnerability identification, protecting public-facing web apps, and change management.

Implement Strong Access Control Measures

Access Control

Restrict access by business need to know

"Need to know" = least data needed for the job. "Least privileges" = minimum privileges needed. Access to system components and CHD must be defined, assigned, and managed via an access control system.

Authentication

Identify users and authenticate access

Every user must have a unique ID. Covers account lifecycle management, strong authentication, MFA for CDE access, MFA system configuration, and management of application/system accounts. Applies to all accounts except cardholders.

Physical

Restrict physical access to cardholder data

Physical access controls prevent unauthorized removal of systems or hardcopies. Covers facility entry controls, personnel/visitor management, secure media handling/destruction, and POI device tamper inspection.

Regularly Monitor and Test Networks

Logging

Log and monitor all access to system components and CHD

Audit logs are critical for anomaly detection and forensic analysis. Logs must record: user ID, event type, date/time, success/failure, origination, and affected resource. Logs must be protected, reviewed, and retained.

Testing

Test security of systems and networks regularly

ASV external scans required quarterly. CVSS ≥4.0 = fail. Internal/external penetration testing required regularly. Covers wireless AP monitoring, vulnerability identification, network intrusion detection, and payment page change detection.

Maintain an Information Security Policy

Policy

Support information security with organizational policies and programs

Comprehensive security policy covering: acceptable use policies, risk management, PCI DSS compliance management (12.4), annual scope confirmation (12.5.2), security awareness training (ongoing), personnel screening, TPSP risk management (12.8), TPSP support for customer compliance (12.9), and immediate incident response (12.10).

🔍

Req 9.5 — Device Tamper Inspections

Merchants must periodically inspect POI devices for skimming components or unauthorized substitution. Maintain a POI device inventory, inspect regularly, and train personnel to recognize and report suspicious behavior around payment devices.

🔐

Req 8.4 — MFA for CDE Access

Multi-factor authentication must be implemented to secure all access into the cardholder data environment (CDE). MFA systems must also be configured to prevent misuse (Req 8.5).

📋

Req 12.5.2 — Annual Scope Confirmation

The assessed entity must confirm PCI DSS scope accuracy annually — identifying all account data locations/flows and all systems connected to or that could impact the CDE. This is separate from the assessor's scoping confirmation during the assessment.

Types of Account Data

💳

The Defining Factor

The Primary Account Number (PAN) is the defining factor for cardholder data. The term "account data" includes the full PAN, any CHD present with the PAN, and any SAD elements.

Category	Data Element	Can Store?	Must Render Unreadable?
Cardholder Data (CHD)
CHD	Primary Account Number (PAN)	Yes — minimized per Req 3.2	Yes — per Req 3.5
CHD	Cardholder Name	Yes — minimized per Req 3.2	No
CHD	Service Code	Yes — minimized per Req 3.2	No
CHD	Expiration Date	Yes — minimized per Req 3.2	No
Sensitive Authentication Data (SAD) — CANNOT be stored post-authorization
SAD	Full Track Data (magnetic stripe / chip equivalent)	NEVER post-auth	Yes — if stored pre-auth
SAD	Card Verification Code (CVV/CVC/CAV2/CID)	NEVER post-auth	Yes — if stored pre-auth
SAD	PIN / PIN Block	NEVER post-auth	Yes — if stored pre-auth

🚨

SAD Storage — The Hard Rule

Sensitive Authentication Data (SAD) — which includes CVV/CVC codes, full magnetic stripe data, and PINs — must NEVER be stored after authorization is complete. This applies even if the data is encrypted. There are no exceptions for merchants (issuers have separate defined requirements under Req 3.3.3).

Where Data Lives on a Card

PAN — Embossed on front, stored on magnetic stripe (tracks 1 & 2) and chip
Cardholder Name — Embossed on front
Expiration Date — Embossed on front
Service Code — On magnetic stripe (3-digit code defining card usage rules)
Magnetic Stripe — Full track data on back (tracks 1 & 2) — SAD, NEVER store post-auth
Chip — Equivalent of magnetic stripe data in chip form — SAD, NEVER store post-auth
CVV2/CVC2/CAV2/CID — Security code on back (or front for Amex CID) — SAD, NEVER store post-auth

PAN Masking Requirements

When displaying PAN, only the first six digits and last four digits may be displayed. The middle digits must be masked (e.g., 4111 11xx xxxx 1111). This applies to all displays — screen, paper, receipts, logs.

Encryption Basics

Encryption — Changes plaintext into ciphertext using a cryptographic key
Decryption — Changes ciphertext back into plaintext using the key
Key Management — Req 3.6 and 3.7 require secure key management covering the entire key lifecycle: generation, distribution, storage, retirement, and destruction
Strong Cryptography — Required for PAN storage (Req 3.5) and transmission (Req 4.2). Legacy protocols are not acceptable.

What Is "In Scope" for PCI DSS?

The Cardholder Data Environment (CDE) — all system components, people, and processes that store, process, or transmit CHD/SAD
System components that do not store CHD/SAD but have unrestricted connectivity to CDE components
System components, people, and processes that could impact the security of CHD/SAD (e.g., authentication servers, remote access servers, logging servers)

📐

Scope Reduction via Segmentation

Network segmentation isolates the CDE from the rest of the entity's network. A properly segmented out-of-scope component must be unable to impact CDE security even if compromised. Segmentation reduces assessment cost, compliance cost, and overall risk.

Annual Scope Confirmation (Req 12.5.2)

Entities must annually confirm PCI DSS scope by identifying all account data locations and flows, and all connected/potentially-impacting systems. This includes backup/recovery sites and failover systems. Documentation must be retained for assessor review and the next scope confirmation. This is separate from the assessor's scoping confirmation performed during the assessment.

Third-Party Service Providers (TPSPs)

What Is a TPSP?

Know This

Any entity that stores, processes, or transmits cardholder data on behalf of a customer, or manages in-scope system components on their behalf. Using a compliant TPSP does NOT make the customer PCI DSS compliant, and does NOT remove the customer's responsibility for their own compliance.

Requirement 12.8 — Managing TPSP Relationships

Annual

Perform due diligence before and during the TPSP relationship
Have appropriate agreements in place with all TPSPs
Identify which PCI DSS requirements apply to the customer vs. which apply to the TPSP
Monitor TPSP compliance status at least annually
Important: Req 12.8 only requires monitoring status — the TPSP does NOT need to be PCI DSS compliant for the customer to meet Req 12.8

TPSP Compliance Evidence (Req 12.9)

Provide on Request

If a TPSP has an AOC — they are expected to provide it to customers upon request
If a TPSP does NOT have an AOC — they must provide specific evidence related to applicable PCI DSS requirements so customers/assessors can confirm compliance
Customers and TPSPs must clearly define which requirements each party is responsible for and which are shared

⚠️

Outsourcing Doesn't Transfer Responsibility

Entities that outsource payment environments or operations to third parties remain responsible for ensuring account data is protected by the third party per applicable PCI DSS requirements. Compliance cannot be fully delegated.

Implementing PCI DSS into BAU Processes

Security controls must be maintained on an ongoing basis — not just during assessments. Key BAU practices include:

Monitor security controls for effectiveness on an ongoing basis
Detect and respond to security control failures in a timely manner
Review environment changes (new systems, config changes) for PCI DSS scope impact before completion
Review scope impact after organizational structure changes (mergers, acquisitions)
Periodic reviews to confirm requirements remain in place and personnel follow secure processes
Annual review of hardware and software technologies to confirm continued vendor support and compliance with PCI DSS

PCI DSS Assessment Process — 6 Steps

Scope

Determine where payment account data is stored, processed, and transmitted. Identify which systems and networks are in scope for PCI DSS and confirm the scope of the assessment.

Assess

Perform the assessment on all in-scope system components by following the testing procedures for each PCI DSS requirement to determine if requirements have been met.

Report

Complete required documentation — SAQ or ROC — including documentation of all compensating controls and any requirements met with the customized approach.

Attest

Complete the appropriate Attestation of Compliance (AOC) in its entirety. Official AOCs are only available on the PCI SSC website.

Submit

Submit SAQ or ROC, AOC, and supporting documentation (e.g., ASV scan reports) to the requesting entity — acquiring bank (for merchants) or payment brands/other requestors (for service providers).

Remediate

If required, perform remediation to address requirements not in place. Provide an updated report after remediation is complete.

Validation Documents

SAQ — Self-Assessment Questionnaire

Eligible Merchants

Alternate validation tool for merchants eligible to conduct self-assessments. Different SAQ types apply based on environment: SAQ-A (fully outsourced e-commerce), SAQ-B (imprint/standalone), SAQ-P2PE (validated P2PE), SAQ-D (catch-all, 300+ questions). Contact your acquiring bank or payment brands to determine eligibility.

ROC — Report on Compliance

Large Merchants

Detailed report documenting PCI DSS assessment results. More detailed than SAQs — includes entity environment info, assessor samples, and how each requirement was assessed. Mandatory for QSAs to use for any PCI DSS assessment documented in a ROC. Produced by the QSA.

AOC — Attestation of Compliance

All Entities

Declaration of PCI DSS assessment results, completed and signed by the entity and the QSA (if involved). Reflects results documented in an associated ROC or SAQ. Service providers with an AOC are expected to provide it to customers upon request.

📌

Service Provider SAQ Note

SAQ D for Service Providers is the ONLY SAQ option available to service providers. There is no reduced SAQ type for service providers — they must use SAQ-D or undergo a full ROC.

Assessment Professionals

QSA — Qualified Security Assessor

PCI SSC Qualified

Independent security organizations qualified by PCI SSC to assess and validate PCI DSS adherence. Their role: verify technical information, use independent judgment, provide support during compliance, adhere to testing procedures, validate scope, evaluate compensating controls, and produce the final report.

ISA — Internal Security Assessor

Internal

Employees of PCI-qualified ISA sponsor companies trained to improve PCI DSS understanding, facilitate QSA interactions, and enhance quality/consistency of self-assessments.

ASV — Approved Scanning Vendor

Quarterly Scans

Qualified by PCI SSC to perform external vulnerability scanning. Required quarterly for applicable merchants. To pass: no CVSS score ≥4.0 and no PCI DSS violations in scan results. CVSS 7.0–10.0 = High Severity Fail; 4.0–6.9 = Medium Severity Fail; 0.0–3.9 = Low Severity Pass.

PCIP — Payment Card Industry Professional

Your Cert

Foundational PCI SSC credential demonstrating professional knowledge of PCI SSC standards and supporting materials. Required for Arrow Payments TSMs and CSMs within Year One.

QIR — Qualified Integrator & Reseller

Your Cert

PCI SSC trained integrators and resellers who address critical security controls while installing merchant payment systems. Reduces merchant risk by focusing on the most common causes of payment data breaches. Required for Arrow Payments TSMs within Year One.

Flashcards

Tap any card to flip it.

PCI DSS Glossary

PCI DSS v4.x Knowledge Test

50 questions covering the 12 requirements, account data types, scope, assessment process, TPSPs, validation approaches, and key PCI concepts. Questions randomized each attempt.

—

out of 50 correct

—

Question Review

Arrow Payments · PCI DSS v4.x Study Guide · Based on PCI SSC Quick Reference Guide Jan 2025