What Is PCI DSS? A Complete Guide to Payment Card Security
Quick Answer
PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards created by major card brands (Visa, Mastercard, Amex, Discover, JCB) to protect cardholder data. Any organization that accepts, processes, stores, or transmits credit card information must comply.
What Is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. It is a global security standard established in 2004 by the five major credit card networks — Visa, Mastercard, American Express, Discover, and JCB — through their joint venture, the PCI Security Standards Council (PCI SSC).
The standard exists for one reason: to reduce credit card fraud by ensuring that every organization handling cardholder data maintains a baseline level of security. If your business accepts card payments in any form — online, in-store, over the phone, or via mobile — PCI DSS applies to you.
Key Takeaways
- PCI DSS applies to every organization that accepts, processes, stores, or transmits cardholder data
- The current version is PCI DSS 4.0.1, which became mandatory on March 31, 2025
- Compliance is validated annually through either a Self-Assessment Questionnaire (SAQ) or a Report on Compliance (ROC)
- Non-compliance can result in fines of $5,000 to $100,000 per month from card brands
- There are 12 core requirements organized into 6 goals covering network security, data protection, access controls, monitoring, and policy
Who Needs to Comply with PCI DSS?
A common misconception is that PCI DSS only applies to large retailers or payment processors. In reality, the standard applies to any entity that stores, processes, or transmits cardholder data (CHD) or sensitive authentication data (SAD) — regardless of size or transaction volume.
- Merchants (brick-and-mortar stores, e-commerce sites, restaurants, hotels)
- Payment processors and payment gateways
- Acquiring banks and issuing banks
- Service providers (hosting companies, managed security providers)
- SaaS companies that handle payment data on behalf of clients
- Any third party with access to cardholder data environments
❗ Even if you outsource payment processing
Using a third-party processor like Stripe or Square does not eliminate your PCI DSS obligations. While it significantly reduces your scope, you still must complete the appropriate SAQ and maintain compliance with applicable requirements.
The 12 PCI DSS Requirements at a Glance
PCI DSS 4.0 organizes its controls into 12 requirements under 6 high-level goals. Here is a summary of each — for a deep dive, see our full breakdown of all 12 requirements.
| # | Requirement | Goal |
|---|---|---|
| 1 | Install and maintain network security controls | Build and Maintain a Secure Network |
| 2 | Apply secure configurations to all system components | Build and Maintain a Secure Network |
| 3 | Protect stored account data | Protect Account Data |
| 4 | Protect cardholder data with strong cryptography during transmission | Protect Account Data |
| 5 | Protect all systems and networks from malicious software | Maintain a Vulnerability Management Program |
| 6 | Develop and maintain secure systems and software | Maintain a Vulnerability Management Program |
| 7 | Restrict access to system components and cardholder data by business need-to-know | Implement Strong Access Control |
| 8 | Identify users and authenticate access to system components | Implement Strong Access Control |
| 9 | Restrict physical access to cardholder data | Implement Strong Access Control |
| 10 | Log and monitor all access to system components and cardholder data | Regularly Monitor and Test Networks |
| 11 | Test security of systems and networks regularly | Regularly Monitor and Test Networks |
| 12 | Support information security with organizational policies and programs | Maintain an Information Security Policy |
PCI DSS Compliance Levels
Card brands assign merchants to one of four compliance levels based on annual transaction volume. Higher levels require more rigorous validation. Note that each card brand (Visa, Mastercard, etc.) defines levels slightly differently, but the general thresholds are:
| Level | Annual Transactions | Validation Required |
|---|---|---|
| Level 1 | Over 6 million | Annual ROC by QSA + quarterly ASV scans |
| Level 2 | 1 to 6 million | Annual SAQ + quarterly ASV scans |
| Level 3 | 20,000 to 1 million (e-commerce) | Annual SAQ + quarterly ASV scans |
| Level 4 | Under 20,000 (e-commerce) or under 1 million (other) | Annual SAQ + quarterly ASV scans (recommended) |
For details on what each level means for your organization, see our PCI DSS Compliance Levels guide.
How PCI DSS Compliance Works
The PCI DSS Compliance Process
Determine your scope
Identify every system, process, and person that touches cardholder data. This includes your cardholder data environment (CDE), connected systems, and any third parties with access.
Assess your current state
Perform a gap analysis against the 12 PCI DSS requirements. Many organizations use automated tools or consultants for this initial assessment.
Remediate gaps
Fix identified gaps — this may involve implementing new security controls, updating configurations, encrypting stored data, or deploying monitoring solutions.
Complete validation
Depending on your level, complete a Self-Assessment Questionnaire (SAQ) or undergo a full assessment by a Qualified Security Assessor (QSA) resulting in a Report on Compliance (ROC).
Submit compliance documentation
Submit your AOC (Attestation of Compliance) and SAQ or ROC to your acquiring bank and applicable card brands.
Maintain compliance year-round
PCI DSS is not a one-time event. You must continuously maintain controls, perform quarterly vulnerability scans, and conduct annual re-assessments.
PCI DSS 4.0: The Current Version
PCI DSS 4.0 was released in March 2022 and became the sole active standard on March 31, 2024, when version 3.2.1 was retired. However, many of the new future-dated requirements in 4.0 became mandatory on March 31, 2025.
64
New Requirements
Added in PCI DSS 4.0 beyond what 3.2.1 required
13
Future-dated Items
Requirements that became mandatory March 31, 2025
~400
Total Controls
Individual test procedures across all 12 requirements
2
Validation Approaches
Defined approach (prescriptive) and customized approach (outcome-based)
One of the biggest changes in 4.0 is the introduction of the customized approach, which lets organizations meet security objectives through alternative methods rather than following prescriptive controls. Read more in our PCI DSS 4.0 changes guide.
Consequences of Non-Compliance
PCI DSS is not a law, but it is enforced through contractual obligations between merchants, acquiring banks, and card networks. Non-compliance carries significant financial and operational consequences.
- Monthly fines from $5,000 to $100,000 until compliance is achieved
- Increased transaction fees and higher processing rates
- Liability for fraud losses in the event of a data breach
- Potential loss of the ability to accept card payments entirely
- Brand and reputation damage from a publicized breach
- Forensic investigation costs (typically $20,000 to $100,000+) after a breach
- Regulatory penalties if the breach involves personal data (overlapping with GDPR, state breach laws)
⚠️ The real cost of a breach
According to IBM's Cost of a Data Breach Report, the average cost of a data breach involving payment card data exceeds $4.5 million when accounting for detection, notification, remediation, and lost business. Non-compliance makes your organization a higher-priority target and increases post-breach liability.
PCI DSS vs Other Compliance Frameworks
PCI DSS vs SOC 2
| Feature | PCI DSS | SOC 2 |
|---|---|---|
| Focus | Payment card data security | General data security and availability |
| Mandatory? | Yes, for any entity handling card data | No, but often required by customers |
| Certification | SAQ or ROC with AOC | SOC 2 Type I or Type II report |
| Controls | ~400 prescriptive test procedures | Flexible trust service criteria |
| Scope | Cardholder data environment only | Entire service organization or defined system |
For a detailed comparison, see our article on PCI DSS vs SOC 2.
Getting Started with PCI DSS Compliance
PCI DSS Compliance Readiness Checklist
- Identify all locations where cardholder data is stored, processed, or transmitted
- Create a data flow diagram showing how card data moves through your organization
- Determine your merchant level based on annual transaction volume
- Identify which SAQ type applies to your payment acceptance method
- Assess whether scope reduction (tokenization, P2PE) can simplify compliance
- Evaluate whether you need a QSA or can self-assess
- Perform an initial gap analysis against PCI DSS 4.0 requirements
- Develop a remediation plan with timelines and budget
- Select an Approved Scanning Vendor (ASV) for quarterly scans
- Establish ongoing compliance maintenance processes
Is PCI DSS a law?
No, PCI DSS is not a government law or regulation. It is a contractual requirement enforced by the card brands (Visa, Mastercard, etc.) through acquiring banks. However, some US states have incorporated PCI DSS into their data breach laws, and non-compliance can increase legal liability.
How often does PCI DSS compliance need to be renewed?
PCI DSS compliance must be validated annually through an SAQ or ROC. Additionally, quarterly network vulnerability scans by an Approved Scanning Vendor (ASV) are required. Compliance is an ongoing process, not a one-time certification.
Does using a payment processor like Stripe make me PCI compliant?
Using a processor like Stripe significantly reduces your PCI DSS scope but does not eliminate your compliance obligations. You still need to complete the appropriate SAQ (typically SAQ A or SAQ A-EP for e-commerce) and ensure your integration follows secure practices.
What is the difference between PCI DSS and PA-DSS?
PCI DSS applies to organizations handling cardholder data, while PA-DSS (Payment Application Data Security Standard) applied to software vendors building payment applications. PA-DSS was retired in October 2022 and replaced by the PCI Software Security Framework (SSF).
How much does PCI DSS compliance cost?
Costs vary enormously by organization size and complexity. Small merchants completing an SAQ may spend $1,000 to $5,000 annually. Mid-size companies typically spend $50,000 to $200,000. Large Level 1 merchants can spend $500,000+ including QSA assessments, remediation, tools, and ongoing maintenance.
Find PCI DSS Compliance Tools
Compare leading PCI DSS compliance platforms, QSA firms, and scanning vendors in our directory.
Browse PCI DSS Tools