Compliance & Regulation · Term

PCI DSS

also known as: Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard. Required for any organization that stores, processes, or transmits cardholder data. PCI DSS 4.0 became mandatory March 31, 2025 and introduced requirements for annual penetration testing (11.4), payment page script monitoring (6.4.3, 11.6.1), and phishing-resistant MFA (8.3).

Go Deeper

PCI DSS 4.0 penetration testing →

PCI DSS 4.0 requirements map →

Related Terms

More from Compliance & Regulation

SOC 2

An attestation report issued by a CPA firm evaluating an organization's controls against the AICPA Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy). SOC 2 Type I is point-in-time; Type II covers a period (typically 6 months). Standard expectation for B2B SaaS serving enterprise customers.

ISO 27001

The international standard for Information Security Management Systems (ISMS). Certification issued by accredited certification bodies. Covers 93 controls across Organizational, People, Physical, and Technological themes. More common internationally than SOC 2; often pursued alongside SOC 2 for global organizations.

HIPAA

US law governing protection of Protected Health Information (PHI). Security Rule (45 CFR 164.308-164.312) requires administrative, physical, and technical safeguards. Proposed 2024-2026 Security Rule update would mandate annual penetration testing, MFA, encryption, and faster breach notification.

CMMC 2.0

US Department of Defense framework for certifying contractor cybersecurity. CMMC 2.0 final rule effective December 2024. Level 1 (17 practices, FCI) self-assessed. Level 2 (110 practices, NIST 800-171, CUI) requires C3PAO assessment. Level 3 (higher-threat CUI) government-assessed.

NYDFS 23 NYCRR 500

New York Department of Financial Services cybersecurity regulation governing NY-licensed financial services entities. Requires designated CISO, annual penetration testing, MFA, encryption, risk-based controls, 72-hour incident notification, and annual certification of compliance. Class A Companies face additional requirements.

DMARC

Email authentication standard that ties SPF and DKIM together with policy and reporting. Gmail and Microsoft require DMARC for bulk senders since 2024-2025. Policies: p=none (monitor), p=quarantine (spam folder failures), p=reject (outright reject failures).

Full glossary →

Apply this to your environment

Our engagements address concepts like pci dss in practice — not just definitions, but how the attack patterns apply to your stack and how to remediate.

Free Security Check See Services