PCI DSS and AI Governance
Table of Contents
Is Generative AI Compliant with PCI DSS?
Under the Payment Card Industry Data Security Standard (PCI DSS), organizations that store, process, or transmit payment card information are expected to implement controls that protect cardholder data and reduce the risk of unauthorized access.
The use of generative AI systems introduces additional considerations when payment card information is included in prompts, documents, support tickets, or other AI workflows.
Depending on how AI systems are used and configured, cardholder data may be processed by third-party providers, creating additional security and governance considerations.
This matters because:
- payment card information may be shared with external AI providers
- prompts may contain cardholder data
- PCI DSS expects organizations to protect cardholder data wherever it is stored, processed, or transmitted
What PCI DSS Covers
The Payment Card Industry Data Security Standard (PCI DSS) is a security standard developed by the Payment Card Industry Security Standards Council.
PCI DSS applies to organizations and environments that store, process, or transmit cardholder data.
The standard is designed to reduce the risk of payment card fraud and unauthorized disclosure of cardholder data.
PCI DSS includes requirements related to:
- access control
- encryption
- monitoring and logging
- vulnerability management
- security testing
- protection of cardholder data
Key Terms (Simplified)
Cardholder Data (CHD)
Cardholder Data (CHD) includes the Primary Account Number (PAN) and, where present, may also include:
- cardholder name
- expiration date
- service code
PCI DSS applies to organizations and environments that store, process, or transmit cardholder data.
Sensitive Authentication Data (SAD)
Sensitive Authentication Data includes information such as:
- card verification codes (CVV/CVC)
- PINs
- PIN blocks
- full magnetic stripe data
PCI DSS places particularly strict restrictions on the storage and handling of this information.
Cardholder Data Environment (CDE)
The people, processes, and technologies involved in storing, processing, or transmitting cardholder data.
Responsibilities of Organizations
Organizations subject to PCI DSS are generally responsible for:
- protecting cardholder data
- restricting access to payment information
- maintaining secure systems
- monitoring access and activity
- implementing appropriate security controls
These responsibilities continue to apply when AI systems are introduced into workflows.
Why Generative AI Changes Risk
Generative AI systems introduce additional considerations in how payment card information is handled:
- cardholder data may be included in prompts
- support tickets may contain payment information
- payment-related records may be processed through AI systems
- visibility into downstream handling may vary
Introducing AI systems into workflows that handle payment information may increase the number of systems, users, or processes that interact with cardholder data, creating additional governance and security considerations.
These factors can increase the complexity of maintaining security controls around payment data.
Where AI Interacts with PCI DSS Requirements
Protection of Cardholder Data
Organizations must maintain controls designed to protect cardholder data.
Access Control
Only authorized individuals should have access to payment information.
Monitoring and Logging
Organizations are expected to maintain visibility into how systems containing payment information are used.
Third-Party Service Providers
Organizations remain responsible for understanding and managing their PCI DSS responsibilities, including those performed by third-party service providers.
This includes understanding how cardholder data is handled, maintaining appropriate oversight, and ensuring security responsibilities are clearly defined and managed.
What Teams Actually Do (and Where Risk Starts)
In practice, payment-related information may enter AI workflows through:
- customer support tickets
- payment dispute reviews
- fraud investigations
- transaction analysis
- customer communications
These workflows are often intended to improve efficiency. However, employees may not always recognize when cardholder data is being shared with systems that are outside established payment-processing environments.
As a result:
- payment information may be shared without appropriate review
- visibility into data flows may be limited
- existing controls may not extend to AI usage
- governance teams may have limited awareness of how AI is being used
Risk Assessment and Generative AI
Organizations subject to PCI DSS commonly assess risks associated with systems that interact with payment information.
Generative AI may require additional evaluation where:
- cardholder data is included in prompts
- third-party AI providers are involved
- new workflows introduce access to payment information
- existing controls do not account for AI usage
Risk assessments help organizations determine whether existing controls remain appropriate as AI systems are introduced.
Why AI Usage Becomes Difficult to Govern
Individually, these risks may appear manageable.
In combination, organizations may face situations where:
- payment information moves across multiple systems
- visibility into handling is limited
- AI usage occurs outside established controls
- governance teams cannot easily determine where cardholder data is being shared
This can make oversight more difficult.
The Core Problem: Prompts May Contain Cardholder Data
When payment information is included in prompts, it may involve:
- transmission to external systems
- processing by third-party providers
- movement of cardholder data outside traditional payment workflows
Without appropriate controls, these interactions may create security and governance challenges.
How AI Governance Supports PCI DSS Alignment
Organizations may implement controls that operate before and during AI usage.
Examples include:
- detection of payment card information
- redaction of cardholder data
- enforcement of AI usage policies
- visibility into AI interactions
- support for DLP and monitoring programs
Organizations often reduce risk by removing, masking, truncating, tokenizing, or otherwise limiting exposure of payment card information before it is processed by AI systems.
These approaches can also help reduce the number of systems that handle cardholder data and limit PCI DSS scope.
These measures can help organizations manage AI-related risks more consistently.
Where Wald.ai Fits
Wald provides controls that can be used to manage payment-related information in generative AI workflows.
This includes:
- detection of cardholder data
- redaction before information is sent to AI systems
- policy enforcement across users and teams
- visibility into AI interactions
- support for enterprise DLP and AI governance initiatives
These capabilities can support organizations seeking greater control over AI usage involving payment information.
FAQs
Is generative AI compliant with PCI DSS?
PCI DSS does not prohibit the use of generative AI. Organizations remain responsible for determining whether cardholder data is involved and ensuring that applicable PCI DSS requirements continue to be met when AI systems are introduced into workflows.
Does PCI DSS prohibit AI?
No. PCI DSS does not prohibit AI technologies. Organizations remain responsible for protecting payment card information and maintaining applicable PCI DSS controls.
What is cardholder data?
Cardholder Data (CHD) includes the Primary Account Number (PAN) and, where present, may also include the cardholder name, expiration date, and service code.
Can payment card information be entered into AI systems?
Organizations should carefully evaluate whether cardholder data is necessary for the intended purpose and whether appropriate controls, safeguards, and governance measures are in place before sharing payment information with AI systems.
Why is AI governance important for PCI DSS?
AI governance helps organizations maintain visibility, apply controls consistently, and reduce the risk of inappropriate handling of payment information.