Payment card information (PCI) is sensitive cardholder data, such as credit or debit card numbers, that organizations must protect under legal requirements, driving the type and degree of security controls applied to that data in AP Cybersecurity Unit 5.
Payment card information (PCI) is the data tied to someone's credit or debit card. Think card number, expiration date, security code, and cardholder name. Because this data can be used for fraud, laws and industry rules require organizations that collect, store, process, or transmit it to apply specific security controls.
In AP Cybersecurity terms, PCI is a classified data type. Its classification is what determines how heavily you have to protect it. This connects directly to EK 5.2.A.1: organizations implement specific security controls to comply with legal requirements based on the types of data they collect. PCI isn't just any data. It's a category that legally forces stronger encryption, tighter access control, and careful handling whether the data is at rest (sitting on a drive) or in transit (moving between devices).
PCI lives in Unit 5: Securing Applications and Data, specifically topic 5.2. It's the textbook example for learning objective AP Cybersecurity 5.2.A: explaining how the classification of data impacts the type and degree of security applied to it. The whole point is cause and effect. You classify the data as PCI, and that classification triggers legal and managerial requirements (EK 5.2.A.1). It also pairs with data-state thinking from EK 5.2.A.2, since PCI traveling to a payment processor is data in transit that needs encryption to protect it on the wire.
Keep studying AP Cybersecurity Unit 5
Visual cheatsheet
view galleryData in Transit and Encryption (Unit 5)
When a company sends card numbers to a payment processor over the internet, that's PCI as data in transit. The fix from EK 5.2.A.2 is encryption, so even if an attacker intercepts the traffic, they can't read the card data.
Protected Health Information (Unit 5)
PHI and PCI are siblings. Both are regulated data types where the classification itself forces stronger controls. PHI is medical data protected under healthcare privacy laws; PCI is card data protected under payment rules. Same logic, different category.
Data Loss Prevention (DLP) (Unit 5)
DLP tools scan for sensitive data leaving an organization, and PCI is exactly what they hunt for. If an employee tries to email a spreadsheet full of card numbers, DLP is the managerial control that catches it.
Role-Based Access Control (Unit 5)
RBAC from EK 5.2.C.2 limits who can touch PCI. Only roles that genuinely need card data get access to it, which shrinks the number of people who could leak or misuse it.
PCI shows up in multiple-choice questions that ask you to recognize an example of payment card information (credit card numbers, not patient records). A common stem describes a company sending credit card data to a payment processor over the internet and asks which security measure best protects it during transmission. The answer hinges on knowing PCI is data in transit, so encryption is the move. Expect PCI to be paired against PHI in questions testing whether you can correctly classify data and match it to the right legal protection. No released FRQ has used this term verbatim, but it supports the kind of data-classification reasoning Unit 5 rewards.
Both are regulated, sensitive data types, but the difference is what kind of data and which law. PCI is payment card data (card numbers, expiration dates) protected under payment industry rules. PHI is medical data (test results, doctor visit notes) protected under healthcare privacy laws. On the exam, match the example to the right category: a credit card number is PCI, a patient's lab results are PHI.
Payment card information (PCI) is cardholder data like credit or debit card numbers that organizations are legally required to protect.
PCI is a classified data type, and its classification determines the type and degree of security controls applied (AP Cybersecurity 5.2.A).
When PCI is sent to a payment processor over the internet, it's data in transit and should be encrypted.
PCI and PHI work the same way conceptually, but PCI is card data while PHI is medical data, so don't mix up the examples.
Access control models like RBAC limit who can reach PCI, reducing the chance of misuse or leaks.
PCI is sensitive cardholder data, such as credit or debit card numbers, expiration dates, and security codes. In Unit 5 it's a classified data type whose classification forces organizations to apply specific legal and security controls (EK 5.2.A.1).
No. PCI is payment card data protected under payment industry rules, while PHI is protected health information like test results protected under healthcare privacy laws. They follow the same security logic but cover completely different data.
Encrypt it. Card data sent to a payment processor is data in transit, so encryption keeps it unreadable to anyone who intercepts the traffic (EK 5.2.A.2).
Because its classification triggers legal requirements. Per EK 5.2.A.1, organizations must apply specific controls based on the types of data they handle, and card data carries fraud risk that demands tighter encryption and access control.
Yes. Expect multiple-choice questions that ask you to identify an example of PCI or to choose the right protection for card data in transit. It often appears alongside PHI to test whether you can classify data correctly.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.