Regulation
PCI DSS
The Payment Card Industry Data Security Standard, the scheme-mandated framework for handling cardholder data.
The Payment Card Industry Data Security Standard (PCI DSS) is a globally mandated framework established by the major card schemes, Visa, Mastercard, American Express, Discover, and JCB, to secure cardholder data environments. It applies to any entity that stores, processes, or transmits primary account numbers (PAN), requiring adherence to twelve core technical and operational requirements spanning network security, access controls, and encryption. Compliance levels are determined by annual transaction volume, ranging from Level 4 for small merchants to Level 1 for those processing over 6 million transactions. Most merchants aim to reduce their compliance burden through scope reduction techniques, such as using hosted payment pages or iframe integrations provided by an acquirer or PSP. This ensure that sensitive data stays off the merchant's infrastructure, typically allowing them to validate security via a simplified Self-Assessment Questionnaire (SAQ) rather than a full Quality Security Assessor (QSA) audit.
Frequently asked
What are the consequences of non-compliance with PCI DSS?
Failure to maintain compliance can result in substantial monthly fines from the card schemes, often passed down through the acquirer. In the event of a data breach, non-compliant entities may face increased transaction fees, legal liabilities, and the potential revocation of their merchant account (MID).
How does version 4.0 change the compliance landscape for merchants?
PCI DSS v4.0 introduces more stringent requirements around multi-factor authentication (MFA) and more frequent testing of security controls. It also shifts toward a risk-based approach, allowing organisations more flexibility in how they demonstrate they have met specific security objectives through a customised validation approach.
Related terms
Ready for velocity?
Tell us about your business. We'll match you with the right acquiring partners and the right route, typically inside a week.
