1–2
Build & Maintain a Secure Network
Install and maintain firewalls to protect cardholder data. Avoid vendor-supplied defaults for system passwords and other security parameters.
Payment Security Authority Guide
What is PCI DSS? Complete Guide to Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) is the global security framework that every business accepting card payments must follow. Understanding PCI compliance is not optional — it is the foundation of trustworthy, secure commerce.
Introduction to the PCI Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive framework of technical and operational requirements designed to protect payment account data. Developed jointly by the five major card brands — Visa, Mastercard, American Express, Discover, and JCB — PCI DSS is administered by the PCI Security Standards Council (PCI SSC), an independent body founded in 2006.
Before PCI DSS existed, each card brand maintained its own set of security programmes. The fragmented landscape created confusion and inconsistency. The unified PCI and DSS framework replaced those siloed programmes, establishing a single, consistent set of payment security standards applicable to every entity that stores, processes, or transmits cardholder data.
Today, compliance with the PCI DSS data security standard is a contractual obligation for any business that accepts card payments — from Fortune 500 enterprises to solo eCommerce stores. The current version, PCI DSS v4.0, introduced more than 60 new controls and a stronger emphasis on continuous compliance.
Quick Facts
- Established in 2004 by Visa, Mastercard, Amex, Discover & JCB
- Governed by the PCI Security Standards Council since 2006
- Current version: PCI DSS v4.0 (mandatory from April 2025)
- Applies to all entities that store, process, or transmit cardholder data
- Non-compliance can result in fines of $5,000–$100,000 per month
- Twelve core requirements grouped into six control objectives
What Does PCI Mean in the Payment Card Industry?
PCI — Payment Card Industry — refers to the entire ecosystem of organisations involved in electronic card payments: card brands, issuing banks, acquiring banks, merchants, and technology providers. The term PCI payment card industry is often used interchangeably with the broader payments sector.
Within this ecosystem, the PCI SSC acts as the standards body, publishing and maintaining the payment card industry PCI data security standard. It does not enforce the standard directly; enforcement is carried out by the individual card brands and acquiring banks through contractual obligations with merchants and service providers.
Card Brands
Visa, Mastercard, Amex, Discover, and JCB set the contractual compliance requirements and enforce penalties.
PCI SSC
The independent council that authors, publishes, and updates the payment card industry PCI security standards and related resources.
QSAs & ASVs
Qualified Security Assessors and Approved Scanning Vendors are certified organisations that validate compliance on behalf of merchants and service providers.
The 12 PCI Requirements Explained
The payment card industry PCI standard organises its controls into twelve requirements grouped under six objectives. Together, these define what it means to truly protect cardholder data.
3–4
Protect Cardholder Data
Protect stored cardholder data using strong encryption. Encrypt transmission of cardholder data across open, public networks using TLS.
5–6
Maintain a Vulnerability Management Program
Use and regularly update anti-virus software. Develop and maintain secure systems and applications through patch management.
7–9
Implement Strong Access Control Measures
Restrict access to system components to only those individuals whose job requires it. Implement physical access controls for cardholder data environments.
10–11
Regularly Monitor & Test Networks
Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes through vulnerability scans and penetration tests.
12
Maintain an Information Security Policy
Maintain a policy that addresses information security for all personnel. Conduct annual security awareness training and a formal risk assessment process.
PCI DSS Compliance Levels
PCI DSS Level 1 (PCI DSS 1) represents the highest tier of scrutiny, reserved for the world's largest transaction processors. Understanding which level applies to your business determines the validation requirements you must meet.
Level 1
Over 6 million transactions/yearRequirement: Annual on-site PCI DSS audit by a QSA + quarterly network scan
Examples: Large merchants, payment processors, major eCommerce platforms
Level 2
1–6 million transactions/yearRequirement: Annual Self-Assessment Questionnaire (SAQ) + quarterly network scan
Examples: Mid-size retailers, regional SaaS platforms
Level 3
20,000–1 million eCommerce transactions/yearRequirement: Annual SAQ + quarterly network scan
Examples: Small-to-mid eCommerce merchants
Level 4
Under 20,000 eCommerce OR up to 1 million other transactions/yearRequirement: Annual SAQ recommended + quarterly network scan recommended
Examples: Small businesses, local retailers, micro-SaaS
PCI Accreditation & Certification
PCI accreditation is the formal process by which a merchant or service provider demonstrates its adherence to the PCI DSS. It is important to understand the distinction between compliance and certification:
- →PCI Compliance is an ongoing operational state in which all 12 PCI data security standard requirements are continuously met.
- →PCI Certification (formally, a Report on Compliance or Attestation of Compliance) is the periodic, documented validation of that compliance — typically annual.
A Qualified Security Assessor (QSA) is the certification body in the PCI ecosystem. QSAs are companies whose employees are individually certified by the PCI SSC to conduct on-site PCI DSS assessments. For Level 1 merchants, engagement with a QSA is mandatory.
Accreditation Pathway
- 01
Scope Definition
Identify all systems that store, process, or transmit cardholder data and reduce scope where possible through segmentation.
- 02
Gap Analysis
Assess your current controls against all 12 PCI requirements to identify deficiencies.
- 03
Remediation
Implement the technical and procedural controls necessary to close identified gaps.
- 04
Validation
Complete your SAQ or engage a QSA for an on-site audit, and perform quarterly vulnerability scans.
- 05
Attestation
Submit your Attestation of Compliance (AOC) or Report on Compliance (ROC) to your acquirer.
Who Needs PCI DSS Compliance?
All PCI DSS companies — from global processors to single-location shops — must comply if they touch cardholder data. Below are the primary business categories affected by payment card industry PCI compliance.
eCommerce Merchants
Any online store that accepts card payments — regardless of transaction volume — must adhere to payment card industry PCI data security standards.
SaaS Platforms
SaaS providers that bill customers via credit card or store payment tokens fall squarely under PCI DSS obligations.
Payment Processors
Companies that route, authorise, or settle card transactions are core PCI DSS companies and face the strictest Level 1 scrutiny.
Retail & POS Businesses
Brick-and-mortar stores with card-present transactions must secure their POS environments under PCI and DSS requirements.
Healthcare & Subscription Businesses
Healthcare providers collecting co-pays and subscription businesses storing recurring billing data both handle cardholder data and must comply.
Financial Services & Fintech
Banks, credit unions, and fintech startups operating within the payment ecosystem must meet the highest payment security standards.
Payment Security Standards: The Broader Landscape
PCI DSS does not operate in isolation. It exists within a broader ecosystem of payment security standards and cybersecurity frameworks. Understanding how they interconnect helps organisations build a holistic security programme rather than treating PCI as a checkbox exercise.
The evolution of payment security standards mirrors the evolution of payment technology itself. As chip-and-pin replaced magnetic stripes, and as eCommerce and mobile payments expanded the attack surface, PCI DSS evolved — from its original 2004 release through v1.x, v2.0, v3.x, and now the sweeping changes in PCI DSS v4.0.
- PCI DSS v4.0
- Cardholder data security — merchants, processors, service providers
- PCI PIN
- Security of PIN entry devices (ATMs, POS terminals)
- PA-DSS / PA-DSS 3.x
- Payment application security (superseded by S3 in v4.0)
- ISO 27001
- Broad information security management systems
- SOC 2 Type II
- Service organisation controls — trust principles
- GDPR / CCPA
- Data privacy regulations (partially overlapping scope)
Benefits of PCI Compliance
Beyond avoiding fines, PCI data security compliance creates measurable business value.
Customer Trust
Demonstrating PCI accreditation signals to customers that their payment data is handled with the highest security standards.
Reduced Fraud Risk
Implementing the 12 PCI requirements dramatically reduces the attack surface available to cybercriminals targeting cardholder data.
Legal & Contractual Protection
Compliance helps shield your business from card-brand fines and provides evidence of due diligence in the event of a breach.
Business Credibility
Enterprises, payment processors, and acquiring banks increasingly require PCI DSS certification before onboarding new vendors or partners.
Common PCI Compliance Misconceptions
These myths cost businesses thousands in fines and remediation costs. Get the facts on payment card industry PCI security standards.
MYTH
"Small businesses don't need PCI compliance."
FACT
Any business that accepts, processes, transmits, or stores cardholder data — regardless of size — is required to comply with PCI DSS. Even a Level 4 micro-merchant is subject to payment card industry PCI compliance obligations.
MYTH
"Using Stripe or PayPal means I'm automatically compliant."
FACT
Third-party payment providers reduce your compliance scope, but they do not eliminate it. Your website code, hosting environment, and employee practices must still meet PCI data security requirements.
MYTH
"PCI compliance is a one-time project."
FACT
PCI DSS compliance is a continuous programme. Requirements change (PCI DSS v4.0 introduced over 60 new controls), environments evolve, and annual validation is mandatory. Compliance must be maintained year-round.
Frequently Asked Questions
Common questions about the payment card industry data security standard PCI DSS.
What does PCI DSS stand for?
PCI DSS stands for Payment Card Industry Data Security Standard. It is a global set of security requirements established by the PCI Security Standards Council to protect cardholder data.
Is PCI DSS compliance legally required?
PCI DSS is not a law, but it is contractually required by card brands (Visa, Mastercard, Amex) and acquiring banks. Non-compliance can result in fines, increased transaction fees, or the loss of the ability to process card payments.
How often must I validate PCI compliance?
PCI compliance validation is typically annual, but certain requirements — such as quarterly vulnerability scans — must be performed more frequently. Compliance is an ongoing process, not a one-time event.
What is a QSA?
A Qualified Security Assessor (QSA) is an individual or company certified by the PCI SSC to conduct PCI DSS assessments. Level 1 merchants and service providers are generally required to work with a QSA.
Does using Stripe or PayPal make me PCI compliant?
Not automatically. While Stripe and PayPal handle portions of card processing securely, your own systems, integrations, and business practices must also meet PCI DSS requirements. Using these providers can reduce your scope but does not eliminate it.
What is the difference between PCI DSS Level 1 and Level 4?
Levels reflect transaction volume and assessment rigour. Level 1 (PCI DSS 1) applies to the highest-volume merchants and requires a mandatory on-site audit by a QSA. Level 4 applies to the smallest merchants and typically requires only a self-assessment questionnaire.
Ready to Achieve PCI DSS Compliance?
Whether you are starting your compliance journey or preparing for a Level 1 audit, our experts are ready to guide you through every requirement of the PCI data security standard DSS.
No commitment required · Results in under 10 minutes · Free gap analysis included