PCI DSS
complianceFull Name: Payment Card Industry Data Security Standard
Definition
PCI DSS is a complete set of security requirements designed to ensure that all organizations accepting, processing, storing, or transmitting credit card information maintain a secure environment. Developed by the PCI Security Standards Council, which was founded by major card brands including Visa, Mastercard, American Express, Discover, and JCB, the standard applies to any entity that handles cardholder data. In the context of the EUDI Wallet, PCI DSS compliance becomes essential when wallet implementations incorporate payment credentials alongside identity documents.
How PCI DSS Works
PCI DSS is organized around twelve core requirements grouped into six control objectives. These requirements address building and maintaining secure networks, protecting cardholder data, maintaining vulnerability management programs, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy.
The standard mandates that cardholder data, including the primary account number (PAN), cardholder name, expiration date, and service code, must be encrypted when stored and protected during transmission over public networks. Organizations must implement firewalls, use strong cryptography, restrict physical access to cardholder data, and assign unique IDs to each person with computer access.
PCI DSS version 4.0, released in 2022, introduced a more flexible approach allowing organizations to meet security objectives through customized controls rather than strictly prescribed methods. This flexibility is particularly relevant for innovative payment systems like the EUDI Wallet, where traditional compliance approaches may not directly map to new architectures.
PCI DSS in the EUDI Wallet Ecosystem
The EUDI Wallet is designed to hold various types of credentials, and when payment card information is among them, PCI DSS compliance becomes non-negotiable. The wallet must ensure that cardholder data stored on the device is encrypted and that the secure enclave or TEE is used for sensitive cryptographic operations related to payment processing.
When EUDI Wallets are used for Strong Customer Authentication (SCA) under PSD2, the interaction between PCI DSS and European payment regulations creates a layered compliance environment. The wallet provider must demonstrate that card data is never exposed in cleartext, that tokenization is used where possible, and that the device-level security meets the requirements of both PCI DSS and the eIDAS 2.0 trust framework.
Backend systems supporting EUDI Wallet payment features, including credential issuance platforms and verification services, must also maintain PCI DSS compliance. This extends to cloud infrastructure, APIs that transmit card-related data, and any logging or monitoring systems that might capture cardholder information.
Compliance Requirements and Validation
PCI DSS compliance is validated through different methods depending on the organization's transaction volume. The highest level, Level 1, requires an annual Report on Compliance (RoC) prepared by a Qualified Security Assessor (QSA) and quarterly network scans by an Approved Scanning Vendor (ASV). Smaller organizations may self-assess using standardized questionnaires.
For EUDI Wallet providers, achieving PCI DSS compliance involves demonstrating security across multiple domains: the mobile application itself, the backend infrastructure, network communications, and any third-party integrations. The wallet's use of hardware security features such as secure enclaves aligns well with PCI DSS requirements for cryptographic key protection, though specific implementation details must be validated by assessors.
Organizations must also implement continuous monitoring and incident response procedures. Any breach involving cardholder data must be reported to the relevant card brands and may trigger forensic investigations. This requirement aligns with GDPR's 72-hour breach notification obligation, creating a unified response framework for EUDI Wallet providers handling both identity and payment data.
Real-World Implementation Considerations
In practice, EUDI Wallet implementations that include payment functionality often use tokenization to minimize the scope of PCI DSS compliance. By replacing actual card numbers with unique tokens, the wallet reduces the amount of cardholder data it stores and processes, thereby limiting the systems that fall within PCI DSS scope.
Major payment networks already support tokenized mobile payments through services like Apple Pay and Google Pay. The EUDI Wallet can build upon these established patterns while adding the identity verification layer that eIDAS 2.0 requires. This combination creates a powerful framework where a single wallet can authenticate a user's identity and authorize a payment in a unified, standards-compliant flow.
European banks and payment service providers integrating with the EUDI Wallet must ensure their own PCI DSS compliance extends to the new wallet interfaces. This includes securing the APIs used for credential issuance, implementing proper session management for payment transactions, and conducting regular penetration testing of all wallet-related systems.