The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. A fundamental principle of PCI-DSS is the protection of cardholder data. Specifically, Requirement 3 mandates the protection of stored cardholder data, requiring the Primary Account Number (PAN) to be rendered unreadable wherever it is stored. Requirement 4 mandates the encryption of cardholder data during transmission over open, public networks. These requirements directly address the prohibition of exchanging or storing credit card data in cleartext.

A. CSA: The Cloud Security Alliance (CSA) provides research and best practices for cloud security (e.g., the Cloud Controls Matrix), but it is not a regulatory standard specifically for credit card data.

B. GDPR: The General Data Protection Regulation (GDPR) is a European Union regulation focused on the protection of personal data and privacy of EU citizens, not exclusively on payment card information.

C. SOC 2: A Service Organization Control 2 (SOC 2) report is an audit of a service organization's controls related to security, availability, processing integrity, confidentiality, and privacy, but it is not the specific standard governing credit card data.

1. PCI Security Standards Council. (2022). Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures

Version 4.0. Page 48

Requirement 3.5.1 states

"Primary account number (PAN) is rendered unreadable wherever it is stored." Page 58

Requirement 4.2.1 states

"Strong cryptography and security protocols are used to safeguard PAN during transmission over open

public networks."

2. Amazon Web Services (AWS). (2024). PCI DSS Compliance. AWS Compliance Documentation. Retrieved from https://aws.amazon.com/compliance/pci-dss-level-1-faqs/. The documentation states

"The PCI DSS is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes."

3. Microsoft Azure. (2024). Azure compliance documentation: PCI DSS. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-pci-dss. The document clarifies

"The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data."