Recipe / Compliance

PCI DSS Basics

The Payment Card Industry Data Security Standard (PCI DSS) is a baseline of technical and operational requirements designed to protect cardholder data. This recipe walks through the three pillars every Meridian-powered service must satisfy before processing live card transactions: scope, controls, and continuous validation.

1

Define Your Cardholder Data Environment

Scope is the single biggest cost driver in PCI compliance. Start by mapping every system that stores, processes, or transmits the Primary Account Number (PAN). Anything that touches PAN is in scope, plus any connected system that could affect the security of those components.

  • Tokenize PAN at the edge to shrink scope
  • Segment networks with explicit allow-list firewall rules
  • Document data flows annually and after every architecture change
2

Apply the Twelve Core Requirements

PCI DSS v4.0 organizes controls into six goals and twelve requirements. They cover firewalls, default passwords, stored data protection, transmission encryption, anti-malware, secure development, access control, identification, physical access, logging, testing, and policy maintenance.

# Minimum Meridian baseline for PCI workloads
meridian.policy.attach({
  workload: "payments-api",
  controls: [
    "req-2: no-default-credentials",
    "req-3: pan-encrypted-at-rest",
    "req-4: tls-1.2-minimum",
    "req-8: mfa-on-all-admin",
    "req-10: log-all-pan-access",
    "req-11: quarterly-asv-scan"
  ],
  evidence: "continuous"
});
3

Validate Continuously, Not Annually

The old model of an annual Report on Compliance (ROC) is dead. v4.0 introduces the customized approach and expects evidence to be fresh. Meridian streams control attestations daily into your SAQ or ROC workpaper, so QSAs review live posture instead of last quarters screenshot.