What is PCI DSS?
PCI DSS, or Payment Card Industry Data Security Standard, is a set of security standards designed for organizations that handle credit card information from major card brands. It was created through a joint effort by Visa, Mastercard, American Express, JCB International, and Discover Financial Services to ensure that any entity processing, storing, or transmitting credit card data maintains a minimum level of information security.
The standard is now developed and maintained by the PCI Security Standards Council (SSC), while enforcement is carried out by the five credit card brands.
What is PCI PA DSS?
PA DSS, or Payment Application Data Security Standard, is a complementary standard that applies to payment applications. It ensures that the applications are tested, assessed, and validated for secure handling of cardholder data. If your organization develops payment applications, PA DSS compliance is also required.
To Whom Does PCI DSS Apply?
PCI DSS applies to all organizations that process credit card information from the five aforementioned brands. Non-compliance can lead to fines or sanctions from these companies.
There are four levels of compliance, based on the volume of transactions processed annually:
- Level 1 – Over 6 million transactions
- Level 2 – Between 1 and 6 million transactions
- Level 3 – Between 20,000 and 1 million transactions
- Level 4 – Fewer than 20,000 transactions
What Does PCI DSS Say About Data Classification?
The only direct reference to classification appears in Requirement 9.6.1, which states:
“Classify media so the data’s sensitivity can be determined.”
Here, "media" refers to computers, removable storage devices, paper records, and more. This means it's not necessarily the individual documents that must be classified, but the storage media that holds sensitive data. For example, you should know whether a specific USB drive or laptop contains confidential cardholder information.
Where Else Is Data Classification Relevant?
While PCI DSS does not mandate document-level classification, data classification can still support several critical requirements:
Requirement 2.4 – Maintain an inventory of system components in scope for PCI DSS
You must know which components are involved in processing credit card information—data classification can help identify where that data resides.
Requirement 3.1 – Keep cardholder data storage to a minimum
You must delete cardholder data when it's no longer needed. Classification helps identify and manage unnecessary stored data.
Requirement 3.2 – Do not store sensitive authentication data after authorization
This includes full track data, card validation codes (CVV), and PIN data. Classifying and scanning documents can help locate and eliminate this type of information.
Requirement 4.2 – Never send unprotected PANs via end-user messaging technologies
This applies to email, instant messaging, SMS, and chat apps. Classification can prevent accidental sharing of PANs (Primary Account Numbers).
Requirement 7.1 – Limit access to system components and cardholder data based on job responsibilities
Documents containing cardholder data should be labeled as confidential, and access should be limited. Better yet, if the data is no longer needed, it should be deleted.
Summary
While PCI DSS does not explicitly require document-level data classification, several of its requirements assume or benefit from classification practices. Proper classification helps ensure compliance, reduce risk, and protect sensitive cardholder information—particularly within unstructured data like Word, Excel, or PDF documents.
According to PCI DSS, cardholder data should not reside in documents. If it does, you must manage and protect it accordingly.
