Does PCI DSS Apply to All Payment Cards?

Understanding the scope of payment instruments covered by PCI DSS helps organizations properly implement controls for all applicable transactions and data.

Payment Cards Covered by PCI DSS

PCI DSS applies to all payment cards from the participating brands, which include:

Visa
Mastercard
American Express
Discover
JCB
UnionPay

This coverage extends to various card types and transaction methods:

Card Type	Covered by PCI DSS?	Notes
Credit Cards	Yes	All participating brands
Debit Cards	Yes	Including PIN and signature-based transactions
Prepaid Cards	Yes	Including gift cards branded by participating networks
E-purse Cards	Yes	Electronic stored value cards
ATM Cards	Yes	When used for payment transactions
POS Cards	Yes	Point-of-sale specific cards

The standard applies regardless of whether transactions occur in-person, online, or via mobile devices.

Special Considerations for Debit Cards

Debit card transactions fall under PCI DSS scope, including:

PIN-based debit transactions
Signature-based debit transactions
Online debit transactions

Organizations must implement appropriate controls for PIN pad devices, PIN encryption, and PIN transmission security. The requirements for debit transactions may include additional controls specific to PIN management beyond standard PCI DSS requirements.

Expired, Cancelled, or Invalid Card Numbers

PCI DSS protections extend to "hot cards," expired, cancelled, or invalid payment account numbers. Even though these cards may not be active for transactions, the associated account data still requires protection under PCI DSS if stored, processed, or transmitted within the organization's environment.

This comprehensive protection ensures that all payment card data, regardless of its current status or transaction capability, remains secure throughout its lifecycle within the organization.