The Payment Card Industry Data Security Standard (PCI DSS) was designed to protect cardholder data. The PCI DSS requirements to become PCI compliant are well defined for information security environments that capture, transmit, and store payment card data. Organizations that are seeking PCI compliance have two primary options, based on merchant level: the self-assessment questionnaire (SAQ) or passing an audit by a Qualified Security Assessor (QSA).
There are specific data security standards related to protecting cardholder data that the PCI Security Standards Council (PCI SSC) have outlined. The singular focus of PCI DSS compliance is on environments that store or process credit cards.
The payment card industry is made up of merchants, processors, service providers, and issuers (like Visa, Mastercard, Discover, and American Express). The industry wants to prevent a data breach like what happened to Marriott and Target.
PCI DSS compliance is much easier to obtain by doing a pre-audit or assessment. The pre-audit should be composed of penetration testing, an overall risk assessment, and payment card environment review. The assessment should make sure that no card data is present outside of the payment card environment and that all of the basic foundational controls of the PCI DSS are present and enforced.